Organizations around the globe that follow or certify to ISO standards are already well-equipped to evaluate and mitigate risks within their organizations. But how can security professionals go about identifying those risks? And how can organizations and professionals in charge of asset protection and liabilities across an enterprise ensure success when implementing risk-based ISO standards?
Using enterprise security risk management (ESRM) as starting point can be helpful for enterprise security leaders and organizations as a whole. ESRM can serve as an umbrella to help organizations pinpoint those specific risks defined in the ISO standard and focus on the details that come from ISO, whether ISO 27001 for information security management, ISO 27701 for privacy data management, or any other ISO standard.
Implementing ESRM methodology is a particularly helpful way for security professionals to increase success factors when an organization is implementing risk-based ISO standards, says Lisa DuBrock, CPP, managing partner at Radian Compliance. During a presentation given at this year’s GSX+ virtual event, DuBrock and Lynette Rowe, business unit manager at National Quality Assurance tackled the tie in of how ESRM can support organizations in whatever phase of their risk-based ISO standard journey they are on.
Rowe identified four ways in which ISO certification supports the principles of ESRM during the presentation:
- Using ESRM methodology supports the systematic approach to risk-based thinking. It ensures that risk of each process and each activity is considered when establishing, implementing and maintaining a management system.
- Risks are very explicit in ISO and using ESRM methodology can help leaders identify those risks.
- Risk-based thinking such as ESRM ensures risk is considered from the beginning and throughout: this means during the assessment analysis process, along with the monitoring and evaluation process.
- ESRM makes preventative action part of strategic and operational planning.
With ISO 27001 and 27701, these standards address specific risks to an organization, in this case having to do with information security and privacy management. ESRM can help aid organizations in identifying those details and pinpointing those risks specific to the ISO standard. In other words, ESRM methodology can help an organization increase the success of its risk mitigation by properly assessing, communicating about, and following through on risks unique to each organization.
Taking a strategic approach to risk allows an organization to find risk and move forward to increase resiliency, ensure business continuity and mitigate risks as they come about.
And perhaps that’s one of the most important lessons that DuBrock and Rowe addressed during their webinar: the fact that ESRM, along with ISO standards, are not finite, end goals for an organization. Rather they are both about continual improvement at their cores, which is perhaps why they complement one another so well.
“ISO gives you a baseline to determine how to mitigate your risks. It’s not all-encompassing. You can take the baseline of ISO, use it, make sure you have it in place and know that you can always expand it,” DuBrock says. “ISO is never about perfection; it’s always about continual improvement and that’s what ESRM is about as well.”