Jelena Cice Are you a beginner in dealing with risk management, or do you have a bit of expertise? Either way, you may have many dilemmas. Do you want to integrate risk management concepts into your organization using standards for Quality and Information Security Management Systems, but have no idea where to start? For the junior associates, and very often for the experts in the management systems area, there are many different interpretations of risk management concepts, which can lead to confusion when it comes to implementation or optimization of the integrated management systems.
International standards like ISO 9001, ISO 27001, and ISO 31000 offer various perspectives on risk management concepts. Let’s explore them from different angles.
Basics of the standards
In order to explain the different approaches to risk management, based on my experience with implementation of various standards in different companies, I am going to start by introducing the main purpose of each standard:
- ISO 9001:2015 – requirements for Quality Management Systems (QMS)
- ISO 27001:2013 – requirements for Information Security Management Systems (ISMS)
- ISO 31000:2009 – principles and guidelines for Risk Management (RM)
Important to note is that ISO 9001 and ISO 27001 have identical content in their chapters, while ISO 31000 has a different structure of general recommendations.
To learn more about the integration of a QMS and an ISMS, read this article: How to integrate ISO 9001 and ISO 27001.
Side-by-side comparison – Overview matrix
The most valuable advice I can give you so that you can try to understand the requirements linked to the risk management concept is to use a side-by-side comparison of the main elements, as follows:
| Risk Management – Different concepts in the standards | ||
| ISO 9001:2015 | ISO 27001:2013 | ISO 31000:2009 |
| Risk and opportunities associated with context and objectives of the organization. | Assessment and treatment of information security risks tailored to the needs of the organization. | Principles and guidelines for managing any form of risk in a systematic, transparent, and credible manner and within any scope and context. Performing risk assessment that consists of risk identification, analysis, and evaluation. |
Risk concept in QMS and ISMS
The QMS and ISMS chapters related to Risk Management concepts are the same, as shown:
| Chapter | ISO 9001:2015 | ISO 27001:2013 |
| (4) Context of the organization | Address the risks and opportunities related to planning. More focus is given to “issues” than to “risk.” | Reference to “Establishing the context” as considered in ISO 31000. |
| (5) Leadership | Top management shall demonstrate leadership and commitment with respect to the QMS by promoting the use of risk-based thinking and with respect to customer focus by addressing the risks and opportunities that can affect conformity of products and services. | / |
| (6) Planning | Consider the issues and determine risks and opportunities in order to ensure that the QMS can achieve its intended results, enhance desirable effects, prevent or reduce undesired effects, and achieve improvements. | Same as the QMS, and additional requirements for risk assessment and treatment (these requirements are aligned with ISO 31000). |
| (7) Support | / | / |
| (8) Operation | / | Perform information security risk assessment at planned intervals or when significant changes are proposed and occur, plus implement the information security risk treatment plan. |
| (9) Performance evaluation | Results of analysis shall be used to evaluate the effectiveness of actions taken to address risks and opportunities.
Management review shall be planned and carried out, taking into consideration the effectiveness of actions taken to address risks and opportunities. |
Management review shall include consideration of results of risk assessment and status of risk treatment plan. |
| (10) Improvement | When a nonconformity occurs, including any arising from complaints, the organization shall update risks and opportunities determined during planning, if necessary. | / |
ISO 31000 principles
ISO 31000 has a little different (and, of course, more detailed) approach to risk management – here are the main principles:
- Risk Management creates and protects value, explicitly addresses uncertainty, takes human and cultural factors into account, and facilities continual improvement of the organization.
- Risk Management is an integral part of all organizational processes: part of decision making; systematic, structured, and timely; based on the best available information; tailored to internal and external context and risk profile; transparent and inclusive; and dynamic, iterative, and responsive to change.
While in ISO 9001 there is no requirement for formal methods for risk management, or a documented risk management process, ISO 27001 refers to ISO 31000 and ISO 27005 as standards that can be used as an aid in developing the risk management process.
Certain similarities in standards related to risk management
No matter the similarities and differences in risk management concepts in the different standards, one thing is for sure: risk is always defined as the “effect of uncertainty on objectives,” taking into account that uncertainty is the state of deficiency of information related to understanding or knowledge of an event, its consequences, or likelihood. Also, one common thing related to all standards is that objectives related to risk management can be applied at different levels in the organization, such as strategic, operational, project, product/services, or process.
Risks will always exist around us, and we can never eliminate unwanted situations except by completely terminating activities that can produce negative effects. In most cases, you must follow objectives driven by the organization`s top management, so the best you can do is use best practices presented in all three standards to try to prevent or minimize negative effects.
Use this free ISO 9001:2015 vs. ISO 27001:2013 matrix to see similarities and differences between the two standards.
