PhD candidate and result-oriented Director with 25 years experience with involvement in all levels of Business Strategy, Sales and Marketing, Managing Project and Product Development. Aside of managing a company, he is also the best corporate trainer and public speaker in seminar and conference.
Risk Types to Avoid
The core purpose of an Information Security Management System (ISMS) is to provide protection for sensitive or valuable information. Sensitive information typically includes information about employees, customers and suppliers. Valuable information may include intellectual property, financial data, legal records, commercial data and operational data.
There are three categories of risks types that commonly referred as “CIA” in which sensitive and valuable information are subject to. First, confidentiality is a risk where one or more persons gain unauthorised access to information. Second, integrity is a risk when the content of the information is changed so that it is no longer accuAlerrate or complete. Third, availability is where access to the information is lost or hampered.
Risk Terms to Learn
Threats and vulnerabilities to company assets that process, store, hold, protect, or control access to information trigger information security risks that lead to incidents. Assets in a company are typically people, equipment, systems or infrastructure owned by the company while information is the data set(s) that the company wants to protect such as employee records, customer records, financial records, design data, test data etc.
Get into the information security risk, incidents are unwanted events resulting a loss of confidentiality such as data breaches, integrity e.g. corruption of data, or availability like system failure. Then, threats are what cause incidents to occur and it may be malicious. Lastly, vulnerabilities such as open office windows, source code errors, etc. increase the likelihood that the existence of a threat can lead to an unwanted and costly incident.
A Cycle to Govern All ISMS Processes
ISO 27001 standard requires company to use a method for continuous improvement in information security policy and Plan-Do-Check-Act (PDCA) cycle is the preferred method for most information security teams. PDCA can be applied whenever the organization consider making a change as well as relevant to manage risk of information security, thus the delivering results could be in accordance with the company’s overall policies and objectives.
Plan-Do-Check-Act (PDCA) cycle consists of four basic steps: First, Plan aims to establish objectives, resources required, customer and stakeholder requirements, organizational policies and identify risks and opportunities. Then, Do is when the company implements what was planned. After that, Check intended to monitor and measure processes to establish performance against policies, objectives, requirements and planned activities as well as report the results. Lastly, Act is an action taken to improve performance (if necessary).
The core purpose of an Information Security Management System (ISMS) is to provide protection for sensitive or valuable information and there are three categories of information security risks types commonly referred as “CIA”: Confidentiality, Integrity, and Availability. Last but not least, there is also PDCA cycle that could be used to govern ISMS process and manage risk of information security as well as provide an ongoing focus on continuous improvement.
1. Russell, J. (n.d.). ISO/IEC 27001:2013 Implementation Guide. NQA. Global Certification Body.
2. Sokovic, M., Pavletic, D., & Pipan, K. K. (2010). Quality improvement methodologies–PDCA cycle, RADAR matrix, DMAIC and DFSS. Journal of achievements in materials and manufacturing engineering, 43(1), 476-483.