Which international 'risk' standard is right for my organization?
Most organizations are flooded with international standards and it is often difficult to choose the right one. In most cases the standard selection is driven by customer and/or regulatory pressure.
If you are not driven by any of external pressures and your main question is “which one is right for us?” here is an attempt to demystify the following 4 international standards.
- ISO 31000:2009 – risk management – Principles and Guidelines
- ISO/IEC 27001: 2013 – information security management system
- ISO/IEC 20000-1: 2011 – (IT) service management system
- ISO 22301: 2012 – ‘societal’ business continuity management system
The aim of this article is to give you an independent perspective of why you should go for anyone of them. (If you are already compliant to one of these, then your question can be ‘what we can do more?”, and the article may help you give some direction.)
Since each standard demands a formal risk assessment, lets also refer the name given to the risk register if you pursue each of them independently.
| International Standard | Coverage | Why should I choose this one? | What is the name of the risk register /record? |
| ISO 31000 – risk management standard | This standard aims to cover almost all areas of organization risk. So it covers strategic, personnel, operations, information, and financial. What is missing in this standard? Specifics! This is not a certification standard, and organization use it compare best practices. Unlike other standard the degree of implementation interpretation is left to users and advisers/consultants/internal auditors used by the organization. | Chose this standard if you typically don’t have a certification requirement but you wish to raise and bring an organizational culture of ‘risk’ across all areas all functions. Most organizations applying ISO 31000 has inherent reason to bring culture of risk in their business life cycle. | Enterprise risk register/record should be the name if you seek to implement ISO 31000. |
| ISO 27001 – information security management system | ISO 27001 standard is focused on the keyword “information” protection. What is information asset? The answer is ‘anything that has a business value”. In other words it is just not Information Technology (IT) infrastructure. So if your organization is seeking to protect all forms of information against unauthorized access (Confidentiality), unauthorized modification (integrity), and protection against loss and destruction (Availability), the standard provides a series of controls that enables you to pick and chose those that are relevant to you based on a formal asset-wise risk assessment. ISO 27001 certification involves 114 controls which aims are a combined secure architecture, preventive, detective controls and several controls and encompass procedural, physical, technical and most importantly personnel controls. | The most popular “risk” standard with highest number of certifications, chose this one if you are concerned about your protection of information.How is it different from ISO 31000? The difference lies in the specifics; you can pinpoint and measure how a specific control is working unlike several other generic standards. As part of the analysis you would be required to perform an asset-wise risk valuation which should clearly articulate the state of an asset and its control environment. | Information risk register – where for every asset you can see the risk value. |
| ISO 20000-1 – (IT ) service management system | The latest in the standard family (in terms of inclusion of the word ‘risk’) ITSM – ISO 20000 certification is aimed at making traditional IT organization/department as free from service risk. Although it has been associated with IT ‘process’ best practices, inclusion of the word “service risk” gives you a different view of the ISO 20000 now. | Aimed at making IT as a ‘service’ department the standard has best practices aligned with ITIL. You would choose this if you wish to make your IT a “service” organization. A “service” catalog is a starting point for this and makes your organization aligns with business objectives. | IT (service) risk register. In ISO 20000: 2005 there was a reference to service improvement plan – which indirectly focuses on all weaknesses. |
| ISO 22301 – ‘societal’ business continuity management system | An upgraded version of BS 25999, the new ISO 22301 gives more meaning to the scope of business continuity. ISO 22301 certification is your ability to demonstrate your ability to deliver in case of a disaster.In my view most organizations used ISO 27001 between 1993 to 2007 to show their continuity maturity. In 2007 BS 25999 came into existence. Words like maximum tolerable period of disruption (MTPOD), return time objective (RTO), minimum service levels (MSL) forced the business to speak and define their continuity strategies and prioritize the business that demand quick recovery. | Go for this if you need to demonstrate your maturity of continuity processes. One of the key features of this compliance is your demonstration of continuity through tests –and nothing more pleases any continuity professional than the range of test to demonstrate their continuity strategy. | Continuity risk register – list of issues/items that are considered gaps in the continuity of the business. |
To summarize the choice of a risk management standard is often driven where you see the most of the risk really lies. You chose ISO 31o00 when each and every area of the organization should be covered under risk management, whereas your focus should be ISO 20000 when it is limited IT service delivery.
There is another risk management standard – ISO 28000 for the Supply chain management (Specification for security management systems for the supply chain), I will keep that for perhaps another day.
Please do not hesitate to call us for an in house session to help understand the nuances of each of these standards.
Did this help? Let me know your views!