Österreich
Secure Your Business
 

RISK MANGEMENT ACC. TO ISO 27001 / ISO 27005

 

Magdalena Moser_ beigestellt v Fabasoft

“The following process has helped to

successfully create risk analysis: recording

risks in writing, discussing them and

making a choice before defining actions;

this will help to create a lean system.”

Mag. Karen Daghofer, Quality / IS Manager Fabasoft
 

Case Study: ISO 27001 in Midsized Companies

 

 

Risk analysis acc. to ISO 27001 brings hidden risks to light
Are there vulnerabilities in terms of data security and availability or legal compliance? What security controls are effective and reasonable? Risk analyses acc. to ISO/IEC 27001 teach important lessons about the review of the security level, including residual risks, and make it possible to draw up efficient catalogues of controls. Risk management helping to maintain business continuity is a central requirement in information security. It also is this approach that has helped to make the Standard so scaleable. ISO 27001 is suitable for small and medium-sized enterprises just as much as for company groups and corporations. For initial risk analysis will show the company specific security needs and thus enable companies to align their information security management systems to their specific requirements.

  

Knowing and assessing risks
The applicable version of ISO/IEC 27001:2013 puts its stakes on the purely risk based risk management approach of ISO 31000 for enterprise riskmanagement: Therefore the baseline security requirements are efficiently defined as an all-encompassing common denominator. Based on this, risk bearers with higher security requirements will be used for detailed risk analysis. This approach enables a high security level at a reduced expenditure. As ISO 31000 is taken as a basis, the way is paved for the integration of information security risk management in enterprise risk management. Thus the supplementary standard ISO/IEC 27005:2011 for information security risk management has lost its significance.

 

Reduction of the liability risk
Media report about the fact that lost or published customer data lead to actions for damages running into millions. A certified information security management system minimizes the liability risk. For at legal proceedings, the outcome will often depend on the demonstrability of “due diligence”. The independent review made by a Certification Body will make it traceable for the judge that the employees work according to guidelines and directives that have been established and are to the state of the art. Continual certification acc. to ISO 27001 will help to minimize the liability risk for companies and leaders and managers.

 

  

Risks from the perspective of information security

  • hardware failure
    • a server failure blocks operation
  • software failure
    • a virus causes a system crash
    • hidden programming errors block processes
  • human failure
    • intentional or negligent manipulation
    • faulty handling due to ignorance
  • disasters
    • the computing centre is damaged
    • databases are destroyed

 

 
 
CIS - Certification & Information Security Services GmbH T +43 (0)1 532 98 90 office@cis-cert.com

T&C