404 Error - page not found
We're sorry, but the page you are looking for doesn't exist.
You can go to the homepage

OUR LATEST POSTS

A New Era For HR – Above And Beyond ISO 30414

by -
Above And Beyond ISO 30414 - ISOUpdate.com

Written by: Brenna Johnson

ISO 30414 Human Capital Internal and External Reporting standard was published in 2019 and offers a new era for HR managers and to help both their organization and their stakeholders identify relevant information for more effective business management and disclose to interested parties. In this article, we will detail these four ISO standards and the areas covered.

ISO Standard and Companion Documentation for HR

ISO 30414, Human Resource Management – Guidelines for internal and external human capital reporting: The guidelines for internal and external human capital reporting. Companies are expected to report on 23 core metrics with the goal to increase transparency around an organization’s human capital contributions.

Below we have highlighted some relevant companion documentation available to help organizations understand terminology and help with requirements:

  • ISO 30400, Human Resource Management – Terminology: breaks down the fundamental terms used in the HRM (Human Resource Management) Standards.
  • ISO 30409, Human Resource Management Workforce Planning: helps organizations plan and adjust their staffing protocols.
  • ISO 30408, Human Resource Management – Guidelines on human governance: provides the necessary guidelines for establishing human governance system.
  • ISO/TS 24179, Human resource management – Occupational health and safety metrics: The first in a large series of technical specifications and guidance documents to provide comparable measures for internal and external reporting in human resource management. Specifically relates to occupational health and safety data and highlights issues that should be considered with interpreting it such as lost time from work-related injuries, accidents, etc., and the rate of people who have undertaken training on OH&S and shows comparisons over time for target tracking.

Areas Covered In ISO 30414

The ISO standards provide guidelines on the following core Human Capital Reporting areas:

  • Costs
  • Leadership
  • Organizational culture
  • Workforce evaluation
  • Productivity
  • Recruitment
  • Turnover
  • Diversity
  • Workforce availability
  • Skills and capability

Note: ISO 30414 is a guidance standard; meaning organizations cannot become certified to it. If you are looking for certification to a related standard, ISO 45001:2018 Occupational Health & Safety might be of consideration.

Why HR Should Go Above And Beyond ISO 30414

Every Industry Is Different

As with most ISO standards, ISO 30414 is generic in nature and not specifically tailored for health, agriculture, or banking industries. This means that it is easily applicable to any industry and decided to allow organizations to tailor each requirement to how they best run their business. For best results, an HR manager should have autonomy within their scope of work to achieve the requirements of the standard in a manner that serves the needs of their industry and their people. Without applying insight into your company’s best practices and the functionality of the work, strict compliance with these guidelines can lead to unexpected losses or resistance from the organization. There is no “one cap fits all” model in business, and the same should be considered for the application of an ISO Standard.

Consider utilizing a consultant to help you tailor-fit your processes to meet the requirement with how you best run your business. Looking for a consultant? Find an expert consultant in your area here.

Maximizing Productivity and Profits

If the goal of your business is to maximize profits and productivity; ISO Standards are designed to help you achieve this.

ISO Standards help organizations do this by reducing inefficiencies in processes and procedures. When everyone knows what they are doing, it saves time and energy and increases productivity. By doing so, companies often see an increase in profitability and employee satisfaction.

Results May Not Meet Expectations

While effective implantation of ISO Standards often increases profits and productivity through efficient processes and procedures; results may vary. It’s up to the HR leaders and top management to go the extra mile. Without support and effort from management to meet and maintain the requirements of the standard, maintaining an effective ISO 30414 management system will not be possible.

The People Factor

The HR department first and foremost deals with people – the company’s workforce, who have the most significant impact on the company or organization’s performance. If ISO guidelines are followed without amendments or improvements to how the workers’ function, it is the workers who suffer for it.

Reports Aren’t Everything

If reports and reporting are taken too seriously, and other vital areas like working conditions are overlooked, workers will be badly affected, and productivity may decline. HR leaders should be strategic, considering that they’re dealing with people who have feelings before implementing standards. If the standards produce unfavourable results, they should be quick to switch to a more suitable business model.

ISO 30414 gives a clear set of guidelines for evaluating and reporting human capital. While this is convenient for monitoring productivity. However, reporting doesn’t necessarily make workers more productive; rather, it’s a strategy used to organize and mobilize them.

In addition to a sound reporting system, there should be a sound people strategy/relationship. HR managers go beyond the reporting requirements to build the right system for people analytics, partnerships, and a culture that helps the company achieve its goal. Workforce data should be carefully analyzed to make for better working relationships, not just for employee retention, but for employee satisfaction. In short, advanced data analysis is far more powerful than reporting for business transformation.

Summary

ISO 30414 serves as a guideline for effective human capital reporting and paired with the companion documentation, it’s an extremely helpful resource for HR managers. For an organization to stay top of its class, continuous improvements are vital. Implementation of these guideline standards could mean the difference between hiring the best in the industry or increasing market share due to increased consumer satisfaction from your productivity. And because ISO 30414 is generic in nature, any organization can benefit from it. Everyone wants to increase productivity and profits, what will distinguish a particular company from others is whether or not they can go beyond these standards to create advanced policies of their own. Help set yourself apart from the rest, and go above and beyond the call of duty for HR.

Pick an HR system!

About the Author:

Brenna Johnson is an HR professional based in New York, with a passion for technology and modernizing our industry. Brenna helps shape selectsoftwarereviews.com as senior editor, providing expert advice on the best HR and recruiting software.

by -
ISO Terms Explained - ISOUpdate.com

To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.

Are you Accredited, Certified or Registered to an ISO Standard?

First things first. You are not certified to an ISO Standard, your company’s management system is certified. Individuals cannot be certified to an ISO Standard. However, individuals can receive training to become auditors to audit companies against an ISO Standard. For example, you may seek training and personnel certification to become an ISO 27001 Lead Auditor. You cannot be certified to ISO 27001.

The terms ‘’accreditation’’ “registration” and ‘’certification’’ are sometimes used interchangeably, but they don’t share the same meanings, technically.

CERTIFICATION:

An organization is considered certified to an ISO Standard if they have developed and maintained a compliant management system that has been audited by a third-party auditor from an accredited Certification Body (CB). To maintain certification, the organization will undergo annual audits from the CB to verify continuing compliance to the specific standard. A certification document or a certificate will be issued as an attestation of conformity of an organization’s management system to a specific management system standard or other normative requirements. Certification can be revoked if regular audits are not conducted, or if your management system persistently or seriously fails to meet certification requirements.

ACCREDITATION:

Accreditation is how an authoritative body provides formal recognition that an organization is competent to carry out specific tasks. Accreditation Bodies (AB) accredit Certification Bodies (CB) that demonstrate competence to audit and certify organizations conforming with management system standards. The accreditation process ensures impartiality and competence and fosters confidence and acceptance of the CB’s certifications by public and private sector end users. Accreditation provides assurance to customers that CB’s operate according to internationally accepted criteria.

REGISTRATION:

Registration is another term for Certification. The terms Registration and Registrar are not used much anymore in this industry and Certification is now the preferred term.

Audits, Auditing & Auditors

Auditing:

Auditing is the systematic process of collecting and evaluating information about an organization’s management system to determine their level of compliance with the standard they are being audited against.

Types of Auditors

Consultants:

Management system consultants provide organizations with specific advice, instructions or solutions towards the development, implementation, and maintenance of a management system. They may also prepare or produce manuals or procedures for the management system.

Internal Auditors:

An internal auditor is a company employee who independently and objectively evaluates the operations of an organization’s management system. Internal auditors perform internal assessments of the organization and prepare reports for management.

Note: Internal audits are required by ISO management system standards but cannot be used to grant certification to an organization.

Third-Party or External Auditors:

Individual(s) who conducts the audit(s) on behalf of the certification body. Unlike a consultant or internal auditor, third-party auditors are impartial. Their job is to collect and evaluate objective evidence to determine if the management system complies with the ISO Standard. Based on these findings, the CB will make a recommendation for certification.

Certification Body:

A Certification Body (CB) is an accredited third-party organization that audits and issues certificates to companies seeking certification to various ISO Standards. CB’s obtain accreditation to be able to certify to a specific ISO Standard(s). CB’s are audited by Accreditation Bodies (AB) to ensure impartiality and conformity of their work and processes.

Accreditation Body:

An Accreditation Body (AB) is an organization that provides accreditation services. AB’s provide formal, third party recognition that a Certification Body is competent to issue certification to specific ISO Standards.

The ISO Lingo – Commonly Used Term & Definitions:

The following Terms & Definitions are from ISO/IEC 17021-1

Certified Client

organization whose management system has been certified

Impartiality

presence of objectivity ; freedom from conflict of interest / bias

Note 1 to entry: Objectivity means that conflicts of interest do not exist, or are resolved so as not to adversely influence subsequent activities of the certification body.

Client

organization whose management system is being audited for certification purposes

Auditor

person who conducts an audit

Competence

ability to apply knowledge and skills to achieve intended results

Guide

person appointed by the client to assist the audit team

Observer

person who accompanies the audit team but does not audit

Technical Area

area characterized by commonalities of processes relevant to a specific type of management system and

its intended results.

Note: The term “technical area” is applied differently depending on the management system standard being considered. For any management system, the term is related to products, processes and services in the context of the scope of the management system standard. The technical area can be defined by a specific certification scheme or can be determined by the certification body. It is used to cover a number of other terms such as “scopes”, “categories”, “sectors”, etc., which are traditionally used in different management system disciplines.

Nonconformity (NCR)

non-fulfilment of a requirement

Major Nonconformity (Major NCR)

a nonconformity that affects the capability of the management system to achieve the intended results.

Note: Nonconformities could be classified as major in the following circumstances:

  • if there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
  • a number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.

Minor Nonconformity (Minor NCR)

a nonconformity that does not affect the capability of the management system to achieve the intended results.

Technical Expert

person who provides specific knowledge or expertise to the audit team. Specific knowledge or expertise is that which relates to the organization, the process or activity to be audited.

Certification Scheme

conformity assessment system related to management systems to which the same specified requirements, specific rules and procedures apply

Audit Time

time needed to plan and accomplish a complete and effective audit of the client organization’s management system

Duration of management system certification audits (Audit Duration)

part of audit time spent conducting audit activities from the opening meeting to the closing meeting, inclusive.

Audit activities normally include:

  • conducting the opening meeting;
  • performing document review while conducting the audit;
  • communicating during the audit;
  • assigning roles and responsibilities of guides and observers;
  • collecting and verifying information;
  • generating audit findings;
  • preparing audit conclusions;
  • conducting the closing meeting.

Opportunity for Improvement (OFI)

Situations where the evidence presented indicates a requirement has been effectively implemented, but based on auditor experience and knowledge, additional effectiveness or robustness might be possible with a modified approach.

by -

Written by: Narendra Sahoo

Introduction

ISO 27001 is a comprehensive international standard on information security management. Organizations trying to achieve ISO 27001 Certification for the very first time may find this to be a challenging task. Organizations that have developed a management system for information security will need to implement Internal Audits on a regular basis to ensure conformity to the standard. In this article, we will detail a 5-step method for the success of your internal audits.

Stage 1

Scope & Risk Assessment

Before you can begin, you first must determine the scope of your audit, i.e., the focus and identify which areas are of higher priority and need to be audited more frequently, and which areas are of lower priority or risk and can be audited less frequently. All areas affected by the standard must be included in an audit eventually, however not all areas need to be audited at the same frequency. This is called a risk assessment. You are required to conduct a risk-based assessment to determine the areas of higher risk for the audit. For this, your team/consultant will need to understand the business operations, controls, and systems from you and accordingly define the scope as applicable.

An experienced auditor/consultant will understand which areas in your business are of high risk or priority; if you are unsure, consulting an expert is never a bad idea! Looking for experts? Check out [link to consultants]

?It is important that your organization’s audit scope is in alignment with the ISMS policy. This is the first thing that an auditor will check and sets the stage for the remainder of the audit.?

Once you have identified areas in your processes that fall in scope for your internal audit, you will need to prioritize your resources and prepare for the audit.

Want to learn more about Risk within the context of ISO 9001? Read this

Stage 2

Documentation Review

After you have completed determining the scope of your audits and conducted necessary risk assessment you should begin reviewing the documents of the organization concerning the administrative and business operations that are in place.

Documents reviewed at this stage of the audit would be concerning the scope of your management system, policies, procedures, and processes, documents required by the standard, and other necessary documents deemed necessary by the organizations for effectively maintaining the management system. Documents reviewed here should also be within the scope of the audit as covered in step 1. Documents should also be reviewed using a sampling method, as depending on the size of your organization and the vastness of your documentation a full audit into all documentation may not be possible.

Here the auditor does a high-level review of your documents supporting the management systems, processes and establishes whether the internal audit is in place. Reviewing the documents is an essential stage to plan and prepare for the upcoming audit process. The analysis of the documents will allow specific frameworks to be set that may be required during the internal audit process. Moreover, the documentation review helps verify whether the established documents are in alignment with the requirements of the standard.

Want to learn more about Document Review and Control within the context of ISO 9001? Read this

Stage 3

Onsite Audit

Once the audit scope is defined and the documents are thoroughly reviewed the next stage would include performing an onsite audit to gather evidence and identify gaps in the management systems and processes.

This is an evidence-gathering process that includes interviewing employees, managers, and other stakeholders of your organization associated with the ISMS. The onsite audit determines if your organization has met minimum requirements of the standard and is ready for the ISO 27001 certification audit.

An onsite audit includes observing the established practices in your organization, interviewing staff and verifying processes and their effectiveness. Records are reviewed, evidence is collected, and a full audit report is created detailing the gaps identified, areas of nonconformity, and possible improvements in the management system.

Stage 4

Evidence Analysis 

After the onsite audit has concluded evidence collected is analysed and sorted to classify the risks identified during the audit process.  The audit analysis helps identify gaps against the base criteria and requirements of ISO 27001 Standard. The auditors compile these results, reveal the gaps in enforcement, and may further identify areas of ISMS that require additional testing.

Stage 5

Audit Reporting

Audit Reporting is the final stage of the assessment process. Here the auditor presents the findings of their audit. The internal audit report should be a detailed document comprising the scope, objective, high-level analysis, and key findings. The report will also include recommendations and corrective actions needed. The audit report should be presented and discussed with management for a further plan of action.

Final Thoughts

ISO Audits are extensive and require time and resources invested successfully achieve  ISO 27001 Certification. Organizations need to prepare before taking the final plunge. Systematically following the above-mentioned audit process will not just ease the journey but also help ensure your organization meets the standard requirements and achieves ISO 27001 Certification. Understand that like anything in business, the participation of top management in internal audits is critical. Top management ensures company-wide buy-in for developing effective audit plans, defining roles and responsibilities, and ensuring the enforcement of policies, procedures, and processes.

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA

InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

by -

An accredited ISO certification is beneficial for any organization, regardless of its size or industry. As discussed in an article called ‘What Are the Benefits of Getting an ISO Certification?’, what makes the internationally recognized ISO certification so important is that it helps organizations develop processes and procedures that benefit everyday operations and ensure consistent outputs, while also increasing customer satisfaction. ISO 9001:2015 is an international standard that gives organizations a framework with which they can develop an effective quality management system. This improves employee performance, boosts company efficiency, reduces waste, and enhances the customer experience — increasing your credibility with all stakeholders.

However, many business owners may not necessarily know how to get ISO certified, especially if they’re just starting. Moreover, they could also be struggling to get their fledgling business off the ground. According to the Bureau of Labor Statistics (BLS), approximately 20% of new businesses fail during the first two years of being open. In fact, only 25% of new businesses make it to 15 years or more — numbers that have been consistent since the 1990s. It’s time for business owners to place emphasis on meeting quality standards to ensure success, even as they begin operations.

At ISOUpdate, we offer online resources and advice, for free. However, there is nothing quite like having tangible hardcopy resources on hand for reference. Below we have highlighted four books that we believe are great starting resources to help you better understand international standards and their benefits to your organization.

Discover ISO 9001:2015 Through Practical Examples by Carlos Pereira da Cruz

Discover ISO 9001:2015 Through Practical Examples is a primer for beginners in quality management systems (QMS), although it’s also helpful for those with moderate to expert knowledge of ISO 9001. Veteran quality practitioners will appreciate over 50 case studies, charts, diagrams, and tables that show readers a practical, relevant method of applying ISO 9001 principles to your own business. Instead of blindly following policies or procedures, author and quality management consultant Carlos Pereira da Cruz offers a straightforward way to adapt a QMS into your business and meet ISO 9001:2015 requirements.

Standards, Strategy, and Policy: Cases and Stories by Peter Grindley

Since 1995, author Peter Grindley’s Standards, Strategy, and Policy: Cases and Stories have left a lasting impact on research literature for standards. Grindley establishes “standards” to represent technical specifications for quality, compatibility, and connectivity, and the book discusses how compatibility standards can ensure business success. Grindley provides readers with examples to analyze problems in establishing a new market standard and winning standards contests. He also provides practical analyses on how to maintain standard profitability, as well as how to compete within established standards.

The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers by Ben Horowitz

What happens after you start a business? Many books and blogs talk about how great the beginning is, but no one ever likes to talk about the nitty-gritty of daily business operations with candor. In his book The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers, author Ben Horowitz shares some hard-earned, practical wisdom on managing the tough problems business school won’t cover. With the insights he’s gained from buying, developing, managing, selling, investing in, and supervising technology companies, Horowitz will teach you how to grow a business and let you in on the key to success: not quitting.

Built to Last: Successful Habits of Visionary Companies by James Collins and Jerry Porras

Pursuing Big Hairy Audacious Goals (BHAGs) is probably the most memorable part of Built to Last. Authors James Collins and Jerry Porras researched 18 successful companies over the course of six years to uncover how each one managed the transition from start-up to a large corporation. They found that the secret is to never settle for just being good enough and to chase down BHAGs. Rather than following existing standards, Built to Last recommends setting even higher standards as your goal. The book also highlights an important truth: profit is not the primary focus. Rather, products, services, and employees are the true heart of the business. With purpose and principles, you can’t go wrong.

Additionally, along with purchasing the ISO 9001:2015 Standard, ISO has released companion documents to help you understand the terminology, references and meanings for each clause. Below is a list of companion resources we recommend taking a look at:

ISO 9001 – Debunking the myths –

ISO 9001:2015 for Small Enterprises – What to do?

ISO 9001 Auditing Practices Group (ISO 9001 APG)

About The Author

Jorine Bibi Author LogoJorine Bibi is an environmental blogger. She hopes that her articles provide her readers with information on what the world can do to reduce its energy use. She also believes that if we don’t address the issue of climate change soon it will be too late. In her free time, she likes to tend to her garden.

by -
Top 10 Mistakes Made in Managing an ISO 9001 System

They are easy to make but can be costly to your company, in the short term, and the long term! In this short video, ISO Update talks about the Top 10 most common mistakes we’ve seen companies make when managing an ISO 9001:2015 Quality Management System, AND how to avoid them!

Did you know ISO Update has a Youtube Channel? Subscribe and like our videos so we know you want more content like this video!

You can read the full article here – Top 10 Mistakes Made in Managing an ISO 9001 System

by -
Effective ISO 27001 Risk Assessment

Organizations of all types and sizes collect, store, process and transit information that is valuable to them and to their clients. Safekeeping that information is vital to protect against threats both deliberate and accidental. The adoption of ISO/IEC 27001 helps organizations keep this information secure.

ISO/IEC 27001 is an international standard for Information Security Management which details the requirements for the adoption of a risk management system and process for reviewing and confirming security controls in an organization. The standard helps organizations ensure their processes in place are in line with regulatory, legal, and contractual obligations and are working towards the end goal of security. Risk Assessment is an integral part of the ISO/IEC 27001 Standard as it helps organizations determine, analyze, and evaluate vulnerabilities in their Information Security Processes. In this article ISOUpdate and Narendra Sahoo cover the significance of Risk Assessment and steps to an effective ISO/IEC 27001 Risk Assessment.

Why is Risk Assessment Important for your Organization?

Risk Assessment relating to information security is imperative for organizations to understand various threats and risks to their critical data and what or who their infrastructure is or could be exposed to. It is an essential step to consider when developing an information security management system as it forms a strong foundation for the organization’s security program. The process of Risk Assessment helps identify threats and further helps mitigate the various risk of incidents that could affect the operations of an organization. The process of conducting regular risk assessments helps direct an organization’s focus towards the most critical and highly risk-prone areas of the organization’s infrastructure and determining where weaknesses lie. Below are steps to effective ISO/IEC 27001 Risk Assessment to help your organization.

Risk Assessment Framework

ISO/IEC 27001 Standard (Clause 6.1.2) asks organizations to define and apply a Risk Assessment process that is objective, identifies the information security risks and their owners, analyses and evaluates the risks and provides consistent and comparable results. Organizations shall adopt an approach that addresses the core security requirements in terms of regulatory and contractual requirements. Organizations must tailor their approach based on the following parameters to establish a strong Risk Assessment framework.

The risk parameters include:

  • Risk scale which is based on the likelihood of an incident occurring (frequency of occurrence) and the level of impact (financial loss, reputational damage, operational disruption) that the incident may have on the organization.   
  • Risk appetite which determines the acceptable level of risk to which the organization can withstand.
  • Scenario-based risk which determines the possible events that might affect the security of assets.
  • An asset-based (or process based) risk assessment that determines critical assets (records of personal data, financial data, and medical data) that may be exposed to various risks.

As defined in Clause 6.1.1, when planning your information security management system, risks and opportunities relating to the management system should be addressed to ensure its intended outcomes can be achieved. Risks and opportunities should also be addressed to allow the system to prevent or reduce undesired effects and allow for continual improvement.

As an organization, you must have a process in place to consistently address your plans and actions to identify, assess and treat these risks and opportunities, and how as an organization you will integrate and implement them into your information security management system and its processes as well as the process owners who will champion these tasks. As said by ISMS “Quite simply this means documenting the process for risk identification, assessment and treatment, then showing that is working in practice with management of each risk” – source

Identifying Risks

Identifying risk is the most critical part of Risk Assessment. Identifying risk typically involves determining critical assets that require protection, a possible threat that may impact business operations, and the vulnerability in the business process or asset management or security controls that may result in an incident that impacts the organization.

Asset-Based vs Risk-Based Approach to Risk Assessment

Risk-based approach is a systematic method that identifies, evaluates, and prioritizes threats facing the organization. It is a customizable method that enables the business to tailor their cybersecurity program to specific organizational needs and operational vulnerabilities. By utilizing a risk-based approach to risk assessment organizations use risk to balance the operational performance of the assets against the asset life-cycle cost.

Asset-based approach asks organizations to conduct a risk assessment to determine where your weaknesses are, how likely it is that those weaknesses will be exploited and the impact each one will cause.

The Risk Assessor needs to identify potential risks that may compromise the confidentiality, integrity, or availability of assets and analyse the impact of the organization. Your organization should determine which approach works best for your organization, and what resources you need to ensure its success. This process of risk assessment should be continual and consistent within your organization.

Source: Conducting an asset-based risk assessment in ISO 27001 by Vigilant

Analysing Risks

Risk analysis involves understanding and determining the way an incident may occur and affect your business. This involves identifying possible ways in which identified vulnerabilities found from your asset-based on risk-based approach process can be exploited internally or externally. The analysis must also include an assessment of the likelihood of the incident occurring and the level of impact that it would have on business.

Risks should also be analysed based on whether the organization has in place baseline security controls for effectively addressing the identified risks.

Organizations shall identify controls in place to strengthen the security measures. This should further include evaluating the current controls to determine whether they work appropriately or should be replaced, modified, or supported by additional controls.

Evaluating Risks

The identified and analysed risk(s) must now be evaluated and rated based on their severity. This evaluation should include rating the risk level on a scale of low, medium to high or your internal scale that makes sense for your organization. Risk grading is subjective by nature and should be standardized or based on a set criteria for consistency across your management system.

Evaluating the risk also helps identify whether or not the risk falls within “acceptable levels” of risk. Based on the risk rating, the organization must identify the highest rated risks and, prioritize their resources accordingly to address risks based on their level of severity. With this, the organization must also evaluate the impact of risk on internal and external business and its impact.

Risk Management & Treatment Options

Once the identified, analysed, & evaluated risks are classified, the organization should make an informed research-based decision to mitigate the risk. Generally, the response to addressing the identified risks is classified into four categories. This includes:

  • Modification which involves implementing security controls.
  • Retention of risks which means accepting that the risk falls within the acceptable levels.
  • Avoiding the risk by altering the circumstances causing the eventuality of risk.
  • Share risk with an insurance firm or with a third party who is equipped to manage the risk

The organization needs to identify current controls that are in place and controls that should be established to mitigate and/or reduce risk. 

Reviewing and Monitoring

An organization must consistently review, update and improve the information security management system (ISMS) to ensure that the controls added or in place are effective, appropriately established, and working as intended. The Risk Assessment process must be repeated consistently to ensure your organization has accounted for all the changes and the constantly evolving threat landscape. This process of identifying, analysing, evaluating and monitoring should be seen as an opportunity to continually improve the ISMS and implement control that can address the evolving risks.

Final Thought

Risk Assessment is an ongoing process and should be conducted on an ongoing and consistent basis to ensure your organization is mitigating, eliminating and controlling risks to internal and external threats to your information security. Re-evaluating the security controls and risks regularly can help businesses devote resources accordingly and address the potential threats periodically. Further, Risk Assessment helps businesses make an informed decision for establishing strong security measures and progressive outcomes for the business. 

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA
InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.