Risk Management and ISO 31000: A pocket guide
()
About this ebook
Risk management is a primary concern for any organisation. Its significance has only increased since the start of the COVID-19 pandemic. Organisations need to prepare for all types of threats, both probable (a server breaking down) and improbable (the office being flooded), to ensure that their operations can survive and adapt to continue with BAU (business as usual) in the face of a disaster.
Yet risk management isn’t solely about preventing negative outcomes, it is also about an organisation taking a known risk to uncover new opportunities to improve the organisation. For example, the transition of employees to remote working could risk an organisation’s security as an employee could connect their laptop to an unsecure Wi-Fi connection. However, as demonstrated in the pandemic, remote working helped protect employees as the risk of infecting one another with COVID-19 was reduced.
Read this pocket guide to understand how:
- Risk-based management can prepare your organisation for future threats and therefore help the success of a BCP (business continuity plan);
- To identify whether the opportunities gained from a ‘risky’ decision can outweigh the perceived threat;
- The principles of ISO 31000 can help your organisation develop a framework for its approach to risk management;
- The guidelines of ISO 31000 can be interwoven with controls in other standards such as ISO 27001 and ISO 9001; and
- The organisation must continually review its approach to risk management to stay prepared for the latest threats.
Alan Field
Alan Field, LL.B (Hons), PgC, MCQI CQP, MIIRSM, AIEMA, GIFireE, GradIOSH is a Chartered Quality Professional, an IRCA Registered Lead Auditor and Member of The Society of Authors. Alan has particular expertise in auditing and third party assessing Anti-bribery Management Systems (ABMS) to BS10500 and counter fraud systems in the public sector to ISO 9001 requirements. Alan has many years’ experience with Quality and Integrated Management Systems in the legal, financial, property services and project management sectors in auditing, assessment and gap analysis roles.
Read more from Alan Field
Implementing an Integrated Management System (IMS): The strategic approach Rating: 5 out of 5 stars5/5ISO 37001: An Introduction to Anti-Bribery Management Systems Rating: 0 out of 5 stars0 ratingsAn Introduction to Anti-Bribery Management Systems (BS 10500): Doing right things Rating: 0 out of 5 stars0 ratingsSebastian: A Travelling Bear Rating: 0 out of 5 stars0 ratings
Related to Risk Management and ISO 31000
Related ebooks
Ioannis Tsiouras - The risk management according to the standard ISO 31000 Rating: 3 out of 5 stars3/5ISO22301: A Pocket Guide Rating: 4 out of 5 stars4/5ISO 27001 Annex A Controls in Plain English: A Step-by-Step Handbook for Information Security Practitioners in Small Businesses Rating: 0 out of 5 stars0 ratingsISO 22301: 2019 - An introduction to a business continuity management system (BCMS) Rating: 4 out of 5 stars4/5Risk Management Simplified: A Definitive Guide For Workplace and Process Risk Management Rating: 5 out of 5 stars5/5Fundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5ISO 31000 Risk Management Best Practice A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsPractice Aid: Enterprise Risk Management: Guidance For Practical Implementation and Assessment, 2018 Rating: 0 out of 5 stars0 ratingsInformation Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5Business Continuity Management Systems: Implementation and certification to ISO 22301 Rating: 0 out of 5 stars0 ratingsISO27001/ISO27002:2013: A Pocket Guide Rating: 4 out of 5 stars4/5ISO 27001 Controls – A guide to implementing and auditing Rating: 5 out of 5 stars5/5Risk Assessment for Asset Owners Rating: 4 out of 5 stars4/5Security Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 4 out of 5 stars4/5Risk-Based Internal Audit Rating: 5 out of 5 stars5/5ISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5Business Continuity Management: Choosing to Survive Rating: 3 out of 5 stars3/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5ISO 31000 Risk Management A Complete Guide - 2019 Edition Rating: 1 out of 5 stars1/5Guide to effective risk management 3.0 Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning: A Step-by-Step Guide With Planning Forms Rating: 0 out of 5 stars0 ratingsRisk Management and Information Systems Control Rating: 5 out of 5 stars5/5Information Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsIntroduction to Risk Analysis Rating: 0 out of 5 stars0 ratings
Computers For You
Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsElon Musk Rating: 4 out of 5 stars4/5The Mega Box: The Ultimate Guide to the Best Free Resources on the Internet Rating: 4 out of 5 stars4/5ChatGPT Ultimate User Guide - How to Make Money Online Faster and More Precise Using AI Technology Rating: 0 out of 5 stars0 ratingsThe ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsThe Best Hacking Tricks for Beginners Rating: 4 out of 5 stars4/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5People Skills for Analytical Thinkers Rating: 5 out of 5 stars5/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5CompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5The Designer's Web Handbook: What You Need to Know to Create for the Web Rating: 0 out of 5 stars0 ratingsLearning the Chess Openings Rating: 5 out of 5 stars5/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5Web Designer's Idea Book, Volume 4: Inspiration from the Best Web Design Trends, Themes and Styles Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Rating: 5 out of 5 stars5/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5
Reviews for Risk Management and ISO 31000
0 ratings0 reviews
Book preview
Risk Management and ISO 31000 - Alan Field
INTRODUCTION
This pocket guide isn’t written for experts on risk management or, necessarily, experts on management systems. However, it does assume the importance of risk management to all organisations – big and small – and recognises that not having a formal process to identify, assess and control risk can lead to many issues, including difficulties in implementing management systems based on ISO standards. The ISO 9000 family of standards are process based, and this pocket guide will focus on how this broad approach works in a wider arena than a process focus would normally involve.
The absence of a risk-based approach to management might also lead to opportunities being missed or simply not being exploited to their full potential. Risk management is not just about managing negative or catastrophic events, decisions on competing research and development possibilities is one example of a positive. A risk-based approach to management may reduce unnecessary expense or divert resources to better controls. For example, ISO 27002 provides 'attributes' to controls (identifying control type, operational capabilities, security domains, cybersecurity concepts and information security properties), helping the risk assessor to make more informed decisions about which controls might best respond to a given risk.
To achieve all these in effectively, we may require a management system that understands risks and opportunities in a strategic way in terms of leadership priorities. It might be tempting to look at these requirements as something tactical or operational but the leadership’s attitude towards risk and the priorities for dealing with risks will always impact an organisation’s attributes.
This pocket guide is intended to be of interest to those whose experience of risk or management systems has always been very sector based. A life spent looking at financial or governance risk could be surprisingly helpful in understanding how different policies and approaches to risk can be developed.
Annex SL is the structure implemented by ISO standards such as ISO 9001 and ISO 27001. Its purpose is to be a platform for these and other ISO’s risk-based management system requirements, so that any size of organisation can create better systems across multiple standards by having a common format of clauses and goals. Even if you never intend to implement something like ISO 27001, reading Annex SL is like reading the UK’s HSG65 for health and safety management systems; it contains much food for thought.
This pocket guide will often use the terms ‘strategic’ and ‘tactical’, and this will mean different things to different organisations. Annex SL assumes that top management and the wider leadership team take a key part in risk policy and decision making, and this is always useful to be aware of when considering the points made in this pocket guide.
The main focus of this pocket guide will be looking at ISO’s Annex SL (sometimes referred to as Annex L) and how it requires a risk-based approach to management to be adopted by other international standards in the ISO 9000 family, e.g. ISO 9001:2015 and ISO 27001:2022. Although risk is referred to regularly in these standards, there isn’t much of a practical definition of what risks and opportunities actually mean in practice to an individual organisation; as we will see, one advantage of IS0 31000 is that it can inspire the creation of an infrastructure to achieve a risk universe.
This pocket guide will also discuss how risk can be defined within a management system, i.e. what isn’t written in international standards about defining risk and the implications of a risk-based approach to management.
This approach means our focus will be on risk management