Continuous Risk Assessments?

NIST Risk Management
  • ISO/IEC 27001 — specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.
  • ISO/IEC 27005 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
  • ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
ISO27005 Risk Management
  • ModificationThe level of risk should be managed by introducing, removing or altering controls so that the residual risk can be reassessed as being acceptable. Basically, change things and reassess to see if the risk is still as bad as it was when you started.
  • RetentionThe decision on retaining the risk without further action should be taken depending on risk evaluation. In other words, don’t do anything. In this case it’s important to ensure that you have clear confirmation from the customer that they accept the risk.
  • AvoidanceThe activity or condition that gives rise to the particular risk should be avoided. Gotta smile at this one as it basically means that you shouldnt do the risky thing! Sometimes that can’t be an option.
  • SharingThe risk should be shared with another party that can most effectively manage the particular risk depending on risk evaluation. In other words, offload it. You see this happen a lot, where a solution is passed over to be a managed service. The issue however is that if/when things fail, you still get tarred with the failure. I believe it only provides a false sense of security.

Value = Value minus Risk



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Head of Digital, UK @ Version 1 covering cyber, technology and digital transformation. Twitter as @daveymcglade. Views are my own.