Actions to Address Risks and Opportunities Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 52 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Lesson 4.9
00:03
Actions to address risks and opportunities
00:07
This lesson pertains to close six off the ISO 27,000 and one standard.
00:13
Due to the length of this section, we will be studying this up into three many lessons.
00:20
Listen full 0.9 point one
00:22
actions to address risks and opportunities
00:25
specific to close 6.1 point one general.
00:34
In this lesson, we will cover the understanding off the two types of risks focused on by the icer 27,001 standard.
00:51
With this lesson, we're getting back into the specifics off the ice. So standard
00:55
for 6.1 pertains to actions to address risks and opportunities,
01:00
and this close is broken down into three main sections.
01:03
Name Nick was 6.1 point one general
01:07
Close 6.1 point two Information Security Risk Assessment.
01:11
An information security risk treatment in 6.1 point three
01:18
The previous sections we went into I so 27,000 and five,
01:23
which is the guidance document that gives a lot more detail around how to manage information security risk
01:30
close six and risk management as a whole
01:32
are extremely important processes in your SMS
01:36
and when you go through your certification orders. Ah, lot of time will be spent on this area to ensure that you as the person heading up the ice melts project
01:45
as well as the key organizations stakeholders as a whole as well
01:49
understand the risk management concepts and processes for your is a mess.
01:55
So there are two types of risks to be considered as part of the risk management process.
02:01
First name.
02:04
You will have your information security risks,
02:06
which directly relate to the loss off confidentiality, integrity or availability off information within your SMS scope.
02:15
The second type of risk,
02:17
which is other risks which could affect the outcomes and success off the ice. Miss,
02:23
for example,
02:24
a risk to your eyes. Miss Success
02:28
could be top management commitment
02:30
not being present or sufficient.
02:36
When you go through your pre certification and certification audits, the orderto will want to see if you have thought about risks that could impact the success off your ice mess.
02:46
Implementing an icy mess and successfully maintaining one is no easy measure.
02:53
Even when everything is perfectly aligned and because of the nature of what we do, there will always be some type of risk or obstacle, which may hinder your process.
03:02
Having these documented as early as possible in the process is really important.
03:07
You can really start thinking about these risks when you go through your organizational context back in close for
03:14
and the needs and expectations of your interested parties.
03:16
A lot of the risks to SMEs are often contained in that information.
03:23
It is up to you whether you want to handle the two categories of risk in the same way or keep them separate.
03:30
The key thing is at risks must be documented and evident to show the auditors.
03:36
Although we are talking about this as a stand alone concept, this is something that will be repeated throughout your isom is
03:42
as the goal is always to continually improve by addressing the identified risks and opportunities,
03:49
while close 6.1 point one general doesn't require specific mandatory documentation,
03:54
ensure that the concepts discussed here are documented somewhere
03:59
either as part of your overall risk assessment
04:01
was separately in, for example,
04:03
your own estimates manual.
04:09
Let's go through this information quickly.
04:13
The general Clause states that information security risks must be handled according to your risk management process,
04:19
and satisfy the steps discussed in previous sections,
04:24
meaning your risks must be identified, the likelihood and impact determined
04:29
and the risk level evaluated.
04:32
All other risks that could affect the SMS must be documented,
04:39
along with how these risks will be managed and mitigated throughout the ice. Amie's life cycles
04:48
opportunities that are identified should also be documented.
04:54
These can be ways in which the ice amiss can be made better or more effective
05:03
to summarize.
05:04
In this lesson recovered. The general section off closed 6.1,
05:11
and we also looked at the two main types of risks as defined by ISO 27,001.
05:17
Firstly,
05:18
I so looks at your general information security risks specifically pertaining to the information falling within the scope of your eye, Smith's
05:29
as well as the risks as well as opportunities
05:31
to the success of your SMS.
Up Next