IL7 and ISO 31000 Clauses
IL7 will endeavour to ensure that it performs risk assessment assignments aimed at establishing an information security management system, for the organisation or project that provides the basis for meeting the ISO 31001 principles set out below. If IL7 are assessing a single system, its assessment will be compatible with, accommodate and interact with, and promote in the organisation’s system these principles.
ISO 31000 clauses:
Risk Management creates and protects value.
If the customer is adopting a new system of risk management, perhaps to replace IS1/2 it must be an integral part of the business, accepted by the Board. It shouldn’t be one off for a single project or system but a methodology that is sustainable, consistent and comprehensible throughout the organisation and consistently applied.
Risk Management is an integral part of all organisational processes.
The risk management system should take account of all the businesses drivers and feed into and feed from them as an integral component. It should be structured in such a way as to enable the organisation to take new opportunities, enhance value and mitigate business threats in a controlled manner.
Risk Management is part of decision making.
The risk management system should be utilised in making decisions, enabling informed choices to be made about both ‘upside’ and ‘downside’ risks. Opportunities may present themselves for development or expansion of business (or cost saving). If upside risks are not taken the consequences may be worse. A practical risk assessment and management system should allow opportunities to be explored and exploited. The PDF contains more about ISO 31000 Clauses