QualityMentors Blog

This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.

Monthly Archives: January 2017

Risk Management Guidelines


Alex Dali from The Global Institute for Risk Management Standards posted this question on LinkedIn group ISO 27001:

"ISO 27001:2013 aligns its risk assessment & treatment with ISO 31000 (see clause 6.1.3) but ISO 27002:2013, clause 0.2 says such guidelines are provided by ISO 27005. Which one should be followed?"

Here is my response:

Answer to this question lies  in the titles of the two standards referred by you. ISO 31000 is "Risk Management- Principles and Guidelines" while ISO 27005 is "IT-Security Techniques- Info Security Risk management". So which one is  more appropriate for implementing information security? Obviously, ISO 27005.                                                               Alex, please let me know if you have different views. Thanks!

 

Advertisements

Risk based auditing


My friend AKM Desai (desaiakm@hotmail.com ) wants me to comment on this topic.

ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…

ISO 19011:2011 introduced the concept of risk in auditing. It included  both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.

Specific requirements for managing an effective risk management is provided  in Annex SL standards like  ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits  conforming to  ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined  as ‘Risk based auditing’. Such internal and external audits  should be conducted in a seemliness  manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible  and with full conformance to the requirements in clause 4, 6 and 8  of above requirements standards.

 

%d bloggers like this: