• (0)

    ISO 27001 & ISO 22301 Blog

    How to address opportunities in ISO 27001 risk management using ISO 31000

    Businesses are full of risks, and organizations should do their best to identify, evaluate, and treat all of them – or at least the most relevant ones. This is called risk management, which can vary from subconscious decisions to fully aware choices based on complex methodologies and data arrangements.

    But, oddly, when organizations think about risks, they generally focus on what could go wrong, and take measures to prevent that, or at least to minimize its effects. But, risks can also mean that something good can happen, and by not being ready to take advantage of the situation, you can miss the benefits.

    This article will present how to consider and handle positive risks, also known as opportunities, in the context of ISO 27001, the leading ISO management standard for information security. By including opportunities in an ISMS approach, organizations may increase the benefits of information security.

    How ISO 27001 defines and treats risks

    For ISO 27001, risk is the “effect of uncertainty on objectives,” and the “uncertainty” is the reason we cannot completely control all risks (after all, you cannot defend against what you do not know or understand).

    Regarding how ISO 27001 treats risks, the standard itself does not prescribe the options, only that they must be properly selected considering the results of the risk assessment (clause 6.1.3). For detailed information about risk assessment and treatment, please read ISO 27001 risk assessment & treatment – 6 basic steps.

    The supporting standard ISO 27005, which defines a process for information security risk management, suggests four options: risk modification, risk retention, risk avoidance, and risk sharing. Detailed information about these risk treatment options can be found in this article: 4 mitigation options in risk treatment according to ISO 27001, but in short, all the options aim to decrease the likelihood of a risk happening and/or minimize its effects; i.e., they consider scenarios when something may go wrong.

    Although this thought may have been appropriate in the early days of application of the standard, organizations today can no longer simply think in terms of what can go wrong in relation to their information security.

    Opportunity treatment options for information security

    In the ISO’s most comprehensive standard about risk management, the ISO 31000 – Risk management – Guidelines, besides options to handle negative risks, an organization may also consider taking or increasing the risk in order to pursue an opportunity, which can be achieved by:

    • Risk enhancing – This includes taking measures to increase the probability of a risk happening. This one can be considered as the counterpart of the risk mitigation option for negative risks. For example, to take the opportunity to increase productivity, an organization decides to implement remote access by sharing existing resources and personnel to build and run the service.
    • Risk exploiting – This means taking every possible action to ensure the risk will happen. It differs from the risk enhancing option in the fact that it involves more effort and resources, to effectively ensure the risk will happen. This one can be considered as the counterpart of the risk avoidance option for negative risks. Considering the previous example, the organization may decide to hire a consultant and buy dedicated resources to implement the remote access.

    Additionally, risk sharing and risk acceptance also may be used in the context of handling opportunities.

    Sharing opportunities. When an organization realizes that, by itself, it cannot harness the benefits of an opportunity, it may share the risk, seeking a partner to split costs and efforts, so both can share the opportunity that neither of them could take advantage of by themselves. This differs from sharing negative risks, because in this last case the organization only transfers the costs of a negative impact to a third party. A joint venture between a system development company and a project management services provider is a good example of risk sharing considering opportunities.

    Do nothing. The organization may also consciously decide to do nothing about the opportunity (if it does occur, all the better, but considering the effort it would take to make it happen, it is not worth pursuing) – this is similar to accepting the negative risks.

    When is it acceptable to increase risks?

    The answer may seem obvious … and in fact, it is: when the rewards are greater than the potential losses, and you can accept the losses if they occur.

    In the remote access example, you will have to consider not only potential losses related to a failure in implementing the service (e.g., loss of team time and effort, or loss of the investment to hire a consultant), but also potential losses related to risks arising from the use of the remote access itself (e.g., loss of information confidentiality).

    If these potential losses can be accepted by the organization, if they were to occur, and they are smaller than the potential gains from increasing productivity, why not take the risk?

    But, you should note that not all opportunities are related to increasing risks. Some of them can be harnessed by the strengths the organization already has (e.g., a software development organization deploying a new technology in its products).

    Don’t only hope for the best; be prepared for it

    “Hope for the best and prepare for the worst” is a common motto for risk planning, but in a time when organizations demand the best use of resources, and every opportunity is crucial, simply hoping for the best does not work anymore.

    By adopting the opportunity treatment approaches from ISO 31000, and introducing them into the ISO 27001 risk management process, organizations may unveil and take advantage of a new set of opportunities that can not only improve internal operations, but also increase profits and market visibility.

    To learn more about risk assessment, register for this free webinar: The basics of risk assessment and treatment according to ISO 27001.

    Advisera Rhand Leal
    Rhand Leal
    Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.