One of the most important steps when conducting an ISO 27001 risk assessment is to select risk owners to manage specific threats and vulnerabilities.
Choosing the right person is crucial, because not only should the owner of each risk be someone for whose job relates to that risk, but they must also have the authority to do something about it.
It may therefore be tempting to assign risks to the most senior person in that department. For example, if you’re worried about malware infections, you may want to assign the risk to your CIO.
That’s not necessarily a mistake, but that approach might mean that a single employee takes responsibility for more risks than they can reasonably handle.
So what’s the alternative? For many organisations, the answer is to assign multiple risk owners to a project.
One of the major benefits of this is that one person – or a team – can manage the routine aspects of risk management, and a senior employee can review their work or provide further input.
- ISO 27001: What’s the difference between a risk owner and an asset owner?
- Conducting an asset-based risk assessment in ISO 27001
- Identifying assets for conducting an asset-based risk assessment
Creating multiple risk owners
Traditionally, it has been complicated for organisations to assign multiple risk owners. This is particularly true when the risk assessment is conducted using spreadsheets or physical documents.
These methods mean you need a separate process to contact risk owners, and you can never be quite sure who has contributed what.
But if you use dedicated risk assessment tool, such as Vigilant Software’s vsRisk™, the hard work has been done for you.
Once you’ve identified your assets, you’ll have the option of assigning one or more risk owners to each one. You’ll know exactly who oversees the asset – and with the option to purchase multiple licences, you can keep track of who has made which decisions.
Risk owners can work on the assessment simultaneously – either as a team or in separate departments – accelerating the process and ensuring that the documentation is completed promptly.
The software also contains a built-in wizard to guide you through the process, meaning risk owners don’t need previous risk assessment experience. All they need to do is follow our step-by-step instructions, recording their tasks from a series of dropdown menus.
You can find out more about vsRisk by taking a free trial.