Monitoring and Communications
The consultancy story does not need to stop after the assessment and recommendations. ISO 31000 has two further vital components. There needs to be ongoing communication with the stakeholders, the asset owners and IT delivery. There needs to be continuous monitoring of the outcome(s), the implementation of the recommendations.
The system, the ISMS, in place must adhere to the principles laid down in the clauses of ISO 31000 (see Annex A) and monitor not only the effectiveness of controls but also those ‘accepted and tolerate’ residual risks to ensure any changes of circumstances warrant a change in the risk decision. For example the result of a risk assessment on a new system may be to allow it to go into operation with the caveat that a particular residual risk is too expensive to treat. This expense may be the cost of a hardware or software fix and as time goes by the cost may reduce. Monitoring the circumstances and context of a risk will allow effective management over time.
Similarly, a low risk vulnerability of a legacy system exposed in an IT Health Check might become a high risk if a CERT notification shows a high probability of its exploitation. Such might warrant an upgrade, an advancement of patching or wholescale replacement. Additionally, new security systems or upgrades may come on the market which will allow effective defence for less resource (or more effective defence for the same resource etc.). Processes and expertise for such monitoring must be in place before the IL7 consultant leaves.