ISO IEC 27005:2011 pdf – Information technology – – Security techniques一Information security risk management.
Shanng can be done by insurance that will support the consequences, or by sub-contracting a partner whose role will be to monitor the information system and take immediate actions to stop an attack before it makes a defined level of damage.
It should be noted that it may be possible to share the responsibility to manage risk but it is not normally possible to share the liability of an impaci Customers will usually attribute an adverse impact as being the fault of the organization.
10 Information security risk acceptance
!: Risk treatment plan and residual risk assessment subject to the acceptance decision of the organization’s managers.
çj: The decision to accept the risks and responsibilities for the decision should be made and formally reco4-ded (this relates to ISO/IEC 27001:2005 paragraph 4.2.1 h)).
Implementation guidance:
Risk treatment plans should describe how assessed risks are to be treated to meet risk acceptance criteria (see Clause 72 Risk acceptance criteria). It is important for responsible managers to review and approve proposed risk treatment plans and resulting residual risks, and record any conditions associated with such approval.
Risk acceptance criteria can be more complex than just determining whether or not a residual risk falls above or below a single threshold.
In some cases the level of residual risk may not meet risk acceptance criteria because the criteria being applied do not take into account prevailing circumstances. For example, it might be argued that it is necessary to accept risks because the benefits accompanying the risks are very attractive, or because the cost of risk modification Is too high. Such circumstances indicate that risk acceptance criteria are Inadequate and should be revised if possible. However, it is not always possible to revise the risk acceptance criteria in a timely manner. In such cases, decision makers may have to accept risks that do not meet normal acceptance criteria. If this is necessary, the decision maker should explicitJy comment on the risks and include a justification for the decision to override normal risk acceptance criteria.
Output: A list of accepted risks with justification for those that do not meet the organization’s normal risk acceptance criteria.
II Information security risk communication and consultation
itL All risk information obtained from the risk management activities (see Figure 2).
Information about risk should be exchanged and!or shared between the decision-maker and other staketiolders.
Implementation guidance:
Risk communication is an activity to achieve agreement on how to manage risks by exchanging andior shanng Informat,on about risk between the decision-makers and other stakeholders. The information includes. but is not limited to the existence, nature, form, likelihood, severity, treatment, and acceptability of risks.
Effective communication among stakeholders is important since this may have a significant impact on decisions that need to be made. Communication will ensure that those responsible for implementing risk management, and those with a vested interest understand the basis on which decisions are made and why particular actions are required. Communication Is bi-directional.
Perceptions of risk can vary due to differences m assumptions, concepts and the needs, issues and concerns of stakel’iolders as they relate to risk or the issues under discussion. Stakeholders are likely to make judgments on the acceptability of risk based on their perception of risk, This is especially important to ensure that the stakeholders perceptions of risk, as we4I as their perceptions of benefits, can be identified and documented and the underlying reasons clearty understood and addressed.
Risk communication should be carried out in order 10 achieve the following:
• To provide assurance of the outcome of the organizations risk management
• To collect risk mformation
• To share the results from the risk assessment and present the risk treatment plan
• To avoid or reduce both occurrence and consequence of information security breaches due to the lack of mutual understanding among decision makers and stakeholders
• To support decision-making
• To obtain new Information security knowledge
• To co-ordinate with other parties and plan responses to reduce consequences of any incident
• To give decision makers and stakeholders a sense of responsibility about risks
• To improve awareness
An organization should develop risk communication plans for normal operations as well as for emergency situalions Therefore, risk communication activity should be performed continually.