Risk Management
Students Name
Institution Affiliation
Date
Risk Management
ISO 2700 is a globally recognized framework of practice for Information Security Management System (ISMS). Whenever an organization achieves ISO 27001, it demonstrates that the ISMS attains the ISO model’s set standards of maintenance, implementation, and continued improvement.
I think that ISO 27001 standards would work well in my organization through data protection and reducing information security risks. Various requirements by the ISO 27001 complements those of GDPR compliance and assures more important information overall. Poor information security could be costly, and regardless it serves the organization’s valuable information or the customers (Al-Ahmad & Mohammad, 2013, p.30). Implementation of the ISO 27001 in my organization demonstrates that it holds the security information seriously.
It also shows the local authorities that the organization has identified risks that could arise and the possible measures to address them. ISO 27001 is a recognized standard used in my organization, whether in physical security, computer security, cybersecurity, and other privacy practices. Adoption of the ISO 27001 results in the organization’s adoption of a model used in implementing, operating, establishing, managing, and revising the ISMS system.
Effectiveness of ISO 27001
Implementation of ISMS, according to ISO 27001, has various impacts that help in the reduction of breaches likelihood in the organization (Al-Ahmad & Mohammad, 2013, p.30). Besides, it enables the organization to deal with risks quickly while demonstrating the controls they have in place. As a result, it reduces the potential impact of security risks. In the organization, ISO 27001 will enable in winning customers while retaining the business existing. Since this best practice is recognized internationally, it will make the customers feel secure and safe since it looks over their information security and assets considered valuable.
Also, ISO 27001 enables the organization to save money and time. Customers are always seeking the assurance of management of their information security and protection of data capabilities. In various organizations, the sales department accounts for the length and amount of requested information as part of their sales process and how it grows. However, these organizations incur the cost of sale that is considered unnecessarily. Using the ISO 27001 certification minimizes the details required in holding.
ISO 27001 builds and boosts the organization’s trust (Al-Ahmad & Mohammad, 2013, p.30). It would be difficult for an organization announcing about systems being hacked and data of customers exploited and exposed. The management of the information security system by ISO 27001 enables my organization to identify and prevent this kind of breach. Trust in an organization is essential primarily when it is independently audited to solidify the trust.
ISO 27001 acts as part of system management based on the approaches of the organization’s risks. It purposes to operate, build, implement, improve, and observe the security information. Additionally, it ensures that the organization compares its competition in the market while providing information concerning IT security.
General Data Protection Regulation (GDPR)
Another framework used in information security is the GDPR. It focuses on the protection and privacy of data of personal information (Lopes et al., 2019, p.4). An organization using GDPR is expected to put extra effort in obtaining consent to collect data. This ensures that the data provided is lawfully processed. The GDPR is used globally to certify that organizations provide a strategic vision by which organizations guarantee maintaining privacy in their data. It covers data privacy issues associated with consent, rights to object, portability of data, the right to be forgotten, restriction and objects, and international personal data transfer. However, GDPR mainly focuses and lacks the technical details and how to keep data security levels appropriate while mitigating external and internal threats.
Organizations should view the implementation of GDPR as a strategy for achieving business goals (Lopes et al., 2019, p.4). It is used as a restriction in the organizations operating environments. It can be considered a tool in generating an advantage based on the trust between partners, clients, employees, and organizations. In addition, GDPR encourages the certification of strategies such as ISO 27001 to ensure that organizations’ data security is managed actively based on international practices.
An organization that has implemented the IS0 27001 remains in a position of showing compliance with the requirements of GDPR. The GDPR introduces new rules that require the organizations to continue implementing controls. However, ISO 27001 can be used in meeting the needs of GDPR through assurance, controlling security frameworks, processes, technology, and people, risk assessments, accountability, and continued improvement.
In addition, research suggests other frameworks used in risk management;
COSO enterprise is a framework that involves the categories of strategic, operations, reporting, and compliance. However, this framework was revised to the new COSO ERM framework that focused on integrating risk management, appetite, and culture throughout an organization. It involves five major components guiding it which include;
Culture and governance provide guidance and insight into the responsibilities of risks, the structure of operations, retaining individuals, and tone of risks associated with leaders (Coso, 2004 p. 37). Another component is the objective and strategy setting, which is based on strategy and planning. This focuses on how companies understand the effects associated with risks, both externally and internally. This section is essential in an organization as it provides guidance in defining the depth of risks while formulating the management of risks.
The third component is a performance that helps assess and identify risks impacts and how to prioritize the risks (Coso, 2004 p. 30). After prioritization of risks and action is implemented, the organization can review and revise strategies focused on observed changes to improve ERM. The COSO ERM framework’s final component is the sharing of information obtained from external and internal sources across the organization.
In summary, addressing the information on security risks in organizations requires the use of various standards. However, these strategies work appropriately for companies with a structure or framework they follow. A framework selected by any organization acts like a skeleton that provides proper guidelines and a comprehensive risk management enterprise strategy. However, possible works in the future should be conducted by organizations utilizing a survey concerning the certification of systems in the management of security information.
References
Al-Ahmad, W., & Mohammad, B. (2013). Addressing information security risks by adopting standards. International Journal of Information Security Science, 2(2), 28-43.
Coso, I. I. (2004). Enterprise risk management-integrated framework. Committee of Sponsoring Organizations of the Treadway Commission, 2.
Lopes, I. M., Guarda, T., & Oliveira, P. (2019, June). How ISO 27001 can help achieve GDPR compliance. In 2019 14th Iberian Conference on Information Systems and Technologies (CISTI) (pp. 1-6). IEEE.