This module will give you a short overview of the risk management process covering the

clause 6.1 from ISO 27001: Actions to address risk and opportunities.

The risk-based approach is very important for information security management, because it
helps you identify the risks related to information security. In order for you to be able to
protect your information, you need to know what kind of risks it is exposed to.

Here are a few materials that will help you better prepare for this module:

Compulsory reading:

 article: ISO 27001 risk assessment & treatment – 6 basic steps

 article: How to write ISO 27001 risk assessment methodology
 article: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities
 article: How to assess consequences and likelihood in ISO 27001 risk analysis
 article: The importance of Statement of Applicability for ISO 27001

Additional reading:

 book: ISO 27001 Risk Management in Plain English

 book: Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On
Your Own
 article: Risk Treatment Plan and risk treatment process – What’s the difference?

Module 3 - Risk management

Addressing risks and opportunities [clause 6.1.1]

In the process of planing companies has to identify the risks and opportunities that need to be
addressed. Risk refer to unvanted events that can have negative impact on the information security
and to the company flitgt ?? ( that may destroy paper based informations).

Opportunities refer to the actions that company could undertake in order to improve information
security such as hiring security experts. Companies has also plan how the actions should be
implemented and integrated into ISMS as well as how to evaluate their effectiveness.

For example, actions for addressing and evaluating of risks can be part of regular risk management
process. On the other hand actions related to opportunities can be part of continual improvement
process of ISMS.

For example if company decide to chose one fo the employees is chosen for CISO there could be
opportunity for that person to strenght his knoweladge, for that purpose company can initiate
improvement action and can set information security objectives for this CISO to obtain appropriate
security certificate.
Identifing, documenting and managing risks and opportunities is key for successifull ISMS because it
helps companies to see the streghts and weaknesses of their business operations and use that in
building effective informations security.