Shulou(Shulou.com)06/01 Report--

A new concept "risk owner (Risk owners)" is put forward in the ISO 27001Rom 2013 standard, and the original concept of "asset owner (Asset owners)" in the ISO 27001ISO 2005 standard is also applicable in the new standard, that is to say, in the ISO 27001Rom 2013 standard, both the asset owner (Asset owners) and the risk owner (Risk owners) are defined. So, how to understand these two concepts? What is the difference and connection between these two concepts?

How to understand the asset owner (Asset owners)

The concept of "asset owner (Asset owners)" is mentioned in both the 2005 and 2013 versions of the ISO 27001 standard. What is an asset owner? The asset owner is "an individual or entity that has been approved by management to be responsible for the production, development, maintenance, use and safety of the asset." According to the popular understanding, the owner of the asset is the person responsible for the security of the asset, that is, the person who determines the security requirements of the asset and puts forward security requirements for the safety management and control of the asset.

Why is it important to designate the owner of the asset? Because if the owner of the asset is not designated, no one will be responsible for the safety of the asset, so it is impossible to ensure that the asset can be properly protected and managed, resulting in confusion in asset security management and uncontrollable security risks.

Because of the criticality of the above-mentioned asset owners, both the 2005 version and the 2013 version of the ISO 27001 standard require the identification of the asset owner, and then conduct the "asset-based risk assessment" with the asset as the main line, and finally improve the security management and control ability through the asset owner to implement risk disposal measures.

How to understand the risk owner (Risk owners)

So what is a risk owner (Risk owners)? Risk owners are "individuals or entities that hold rights and responsibilities for risk management (person or entity with the accountability and authority to manage a risk.)." It is a popular understanding that a risk owner is a person who wants to control a risk and has sufficient rights and resources in the organization to deal with it.

Why do you need a risk owner when you have the concept of an asset owner? The reasons are as follows:

Compatibility between standards: the concept of "risk owner" has been defined in the ISO 31000 risk management standard, and this revision of the ISO 27001 2013 version is intended to ensure compatibility with other relevant management standards.

Expansion of risk assessment method: information security risk assessment has always adopted the method of "asset-based risk assessment". Although asset-based risk assessment is still a dominant method in ISO 27001Rom 2013, the new version of the standard has expanded the risk assessment method to assess the "security environment" of enterprises while conducting security assessment for assets. The disposal of this kind of "safe environment" risk is beyond the power of the asset owner.

Consideration of the effect of risk disposal: due to the many departments and roles of the organization involved in risk disposal, in many cases the asset owner does not have sufficient capacity or resources to deal with the risk effectively. For example, the information system may face the risk caused by poor change management, but the disposal measure of improving change management may not necessarily be completed by the owner of the information system. It may be done by other departments or roles in the organization, such as IT service management. In other words, the asset owner can only dispose of the risk of the asset itself, and the disposal of organizational risk and process risk can not be completed by the asset owner.

To sum up, the 2013 version of ISO 27001 aims at the change of "risk owner (Risk owners)", mainly to further improve the logic of risk management theory in the standard, but also to further strengthen the implementation of risk control measures in practicality.

How to choose a risk owner (Risk owners)

Since the Risk owners of risk is so important to risk management, how to select the owner of risk when conducting risk assessment? In response to this problem, I would like to give three principled suggestions:

Risk is directly related to responsibility: the risk owner is ultimately responsible for the disposal of the risk, then the most important thing, of course, is that the risk is directly related to the responsibility of the risk owner, that is to say, who will "pay for the risk". Or if the risk is not dealt with, who will be affected, this person is the risk owner.

Have sufficient height and ability: only people in positions high enough in the organization have stronger ability to promote risk management and coordinate resources, so higher-level managers should be designated when appointing risk owners, usually, risk owners are at a higher level than asset owners.

Specific to the organization: when identifying the owner of an asset, many organizations assign the owner to a department (such as the IT department) rather than to an individual, but this is not recommended when identifying the risk owner. instead, the risk owner must be very specific and assigned to the person.

Proper identification of asset owners and risk owners is something that organizations need to consider carefully. Reasonable setting of asset owners and risk owners can not only make risk disposal easier, but also make risk disposal activities more effective.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.