Please wait, authorizing ...

Don't have an account? Register here today.


Mask vs. Hair

Gestión de riesgos

Analysis on risk management addressed from ISO 31000 and ISO 27005, understood as a complement, not as a competence.

by Gigi Agassini, CPP*

As a security professional I believe that we are constantly facing risks, learning how to manage them, making the best decisions, talking about risks, documenting how they evolve; Know trends about what this 2023 will bring onwards and much more. I ask you dear reader: are we really making the smartest decisions to efficiently manage the risks of our companies?

The risks have a financially significant impact on companies as well as reputational damage. Analyzing and managing risks effectively allows us to prevent problems before they occur, helping us save time and money. In today's uncertain and fast-paced world, analyzing, assessing and managing risks can save the corporation a lot.

Managing risks is a fundamental part of governance and leadership, since it has traceability at all levels of the organization, from identifying activities associated with risks to constant interaction with executives. Risk management must consider the external and internal context of the organization, including human behavior and cultural factors.

There are several "frameworks" and standards for risk management and probably the obligatory question is which one is correct?

On this occasion I would like to talk about ISO 31000 and ISO 27005, since both specialize in risk management, but sometimes there is confusion about how and where to apply them.

It is important to note that they are not the same and that one does not replace the other. In the standards there is no "competition" to see which wins, as if we were in a ring watching two opponents fight between the technicians and the rough ones in a "mask vs. hair", as the vast majority of standards complement each other.

If we start from the principle that there is a physical world and a digital world that today is oneself, we do not lose sight of the fact that each one has different challenges, risks and dynamisms and, although they converge, they take care of each other differently.

Let's add to the above other relevant factors such as the type of business we have, the location or geographical locations, the size of the business, the corporate strategy, the objectives, the vision, the culture, the risk appetite, to name a few. All this will lead us to choose the standard or standards that should be implemented and complemented.

ISO 31000
It is an international risk management standard that provides principles, framework and process for risk management and can be used by any organization regardless of size, activity or sector.

Its use can help organizations achieve objectives, improve the identification of opportunities and threats, and effectively allocate and utilize resources for risk management.

However, it cannot be used for certification purposes, but provides guidance for internal and/or external audit programs. It also provides sound principles for effective management and corporate governance for those organizations that implement it. It also has guidance on how to apply risk assessment techniques (ISO/IEC 31010), enabling organizations to better manage risks and continuously increase their value in a systematic and structured manner1 .

ISO 27005
It is an international risk management standard, specifically information security risk assessment and treatment, provides guidance on the implementation of the information security risk requirements specified in ISO/IEC 27001 and is applicable to all organizations regardless of type, size or sector.

This standard is intended for use by organizations that intend to establish and implement an Information Security Management System (ISMS) in accordance with ISO/IEC 27001. It is aimed at people involved in information security risk management and organizations that intend to improve their related management process.

It states that risk management best practices should be defined according to the characteristics of the organization, taking into account the scope of its ISMS, the risk management context, as well as its industry. It also provides guidance on the implementation of the ISO 31000 risk management guide in the context of information security. The standard contains detailed guidance on risk management and complements the ISO/ICE 270032 guide.

- Publicidad -

To talk about risks, the first thing you need to do is take risk seriously.

Although risk management should be a central element of any information security strategy, today it is not a well-understood or widely used discipline, although awareness of its importance is beginning to increase, we are still far away.

It is very common for risk records to be put in complex and non-concise language, it is important to place them in the language of the business and not in technical language, as well as to properly point out the potential impacts on the commercial operations of the business. Let's not lose sight of the fact that every business has two measures: sale and loss.

Risk management best practices have been developed over time to meet specific needs in various industries through the use of different methodologies, and ISO 31000 is the matrix standard that provides the guidelines and general principles to manage any type of risk in a systematic, transparent and reliable manner, while ISO 27005 is the specialized standard that complements the matrix by providing best practices to manage Risks related to information security.

I leave you this great reflection of Nassim Nicholas Taleb from his risk book, "The Black Swan" where he wrote: "Our problem is not only that we do not know the future, we also do not know much about the past."

Managing new risks and weaknesses is, or should be, the goal of risk management.
Until next time!

* Gigi Agassini, CPP
International Security Consultant
GA Advisory
[email protected]

Duván Chaverra Agudelo
Author: Duván Chaverra Agudelo
Jefe Editorial en Latin Press, Inc,.
Comunicador Social y Periodista con experiencia de más de 16 años en medios de comunicación. Apasionado por la tecnología y por esta industria. [email protected]

No thoughts on “Mask vs. Hair”

• If you're already registered, please log in first. Your email will not be published.

Leave your comment

In reply to Some User
Suscribase Gratis

Security Solutions for Penitentiary Systems Summit - Bienvenida

Bienvenida al Security Solutions for Penitentiary Systems Summit producido por el medio Ventas de Seguridad de la mano del periodista Duván Chaverra e Invitados.

Sesión 1: PANEL - La infraestructura penitenciaria enfocada a la Seguridad electrónica

La gestión de la seguridad en los centros penitenciarios es una práctica que implica la convergencia entre personal altamente capacitado, infraestructura física especialmente diseñada y estrategias rigurosas, esto apoyado en soluciones tecnológicas confiables y complementarias. Entonces, ya que las cárceles en su rol de servicio público tienen el gran reto de reformar a los ciudadanos, a partir de la privación de su libertad, son instalaciones que deben velar en todo momento por la seguridad al exterior, pero también al interior de todos sus espacios; de ahí que la seguridad electrónica se convierta en un apoyo fundamental, pues entrega beneficios imprescindibles a este sector, gracias a que con su constante evolución, responde e incluso se anticipa a las necesidades que puedan surgir. Modera: Duván Chaverra - Ventas de Seguridad Juan José García Ruiz - Magal Security Systems. Manuel Zamudio - Axis Communications Jose Luis Calderón - Eximco

Sesión 2: Soluciones Integrales de Seguridad Electrónica para Sistemas Penitenciarios

Los centros penitenciarios tienen un foco de atención crucial en el tema de la seguridad, por ello en esta conferencia se expresarán las diferentes tecnologías, soluciones y servicios de Magal, de los cuales estos centros deben contemplar dependiendo su nivel de seguridad. Juan José García Ruíz, Director Comercial para América Latina: Magal Security Systems.

Sesión 3: Cómo implementar elementos de cierre de manera efectiva en tu proyecto de seguridad

Muestra de nuevas tecnologías de los elementos de cierre para los recintos penitenciarios Victor H, Manzanilla R, Director de Ventas - ABLOY Critical Infrastructure México

Sesión 4: Tendencias de soluciones de control de acceso en centros penitenciarios.

En alianza CDVI e ISTC, hablaremos sobre el porqué gracias a las necesidades que van surgiendo día a día por un efectivo control de acceso, dentro de los centros penitenciarios, surgen las tendencias de implementación de nuevas tecnologías para hacer más eficiente la seguridad y el control dentro de estos centros. Jorge Gomez, Director of Global Business Development Americas ISTC Nicolás Gallo, Gerente de Ventas Centro América| Región Andina | Cono Sur - CDVI
Load more...

Latest Newsletter