ISO 31000 - Risk Management 2022
ISO 31000 - Risk Management 2022
ISO 31000 - Risk Management 2022
Elmer Quiroz
Cybersecurity expert
Expert in cybersecurity audit, information security, business continuity
and personal data protection for the financial sector, education and
information technologies.
Official instructor in ZERO SECURITY, for LCSPC and ISO 27001
certification
University Professor and IT Auditor.
Internationally certified in ISO 27001, ISO 31000, ISO 22301, ISO 20000
and LCSPC standards.
ethodologies
M
Methodologies for Risk Management
COSO model COBIT©
31000
Risk-Management 1. Satisfy the
Needs of the
Parties ,
Interested
Parties ,
3. Apply a
Single
Integrated
Reference
Framework
Regulations of the
SUPERINTENDENCE
BANKING, INSURANCE AND AFP
Concepts of Risk
Management
Management Guidelines
ISO 31000 Risk
V The ISO generic risk management
framework
V Provides generic principles and
guidelines on risk management
V It can be applied to any type of
risk, whatever its nature or
consequences.
V Not intended for the certification of
an organization.
Terms and definitions
V Risk: Effect of uncertainty on objectives
V Risk management: Coordinated activities to direct and control
the organization in relation to risk.
V Interested party: Person or organization that may affect, be
affected, or be perceived to be affected by a decision or activity
V Source of risk: Element that, alone or in combination with others,
has the potential to generate risk.
V Event: Occurrence or change of a set
particular circumstances
V Consequence: Result of an event that affects the objectives
• Probability: Chance of something happening
TO that us we face?
General Risk Context Management
—44üv- $2
Earthquake / Earthquake
Humannsy Structured
cultural
factors Creac exhnustha
value
protection
information
available
Dynamira Evensha
Integration
Principles [chapter 4)
better Dliseñn
Leadership
and
commitment
Valracin Implementation
Impro Design
vemen
Leadership
and
commitment
Assessm
ent
Process
• The process of the management of risk involves the
systematic application of policies,
procedures and practices to
and risk report. communication activities and
consultation,
establishing the context and evaluation, treatment, monitoring, review, recording
Scope definition
Scope, context
____criteria________
Risk assessment
Risk
identification
Risk
The organization should define the scope of its risk management activities.
analysis
Risk
As the risk management process can be applied at different levels (for example: strategic,
Assessmen
t
operational, program, project or other activities),
Risk treatment
it is important to be clear about the
scope considered, the relevant objectives to be considered and their alignment with the
REGISTRATION AND
REPORT
objectives. of the organization.
External and internal contexts
The external and internal contexts are the environment in which the organization seeks to
define and achieve its objectives.
The context of the risk management process should be established from an understanding
of the external and internal environments in which the organization operates and should
reflect the specific environment of the activity in which the management process is to be
applied. of the risk.
Organization context
Definition of risk criteria
V The organization should specify the amount and type of risk that it can or cannot take,
in relation to the objectives.
V It should define the criteria to assess the importance of the risk and to support the
decision-making processes.
V Risk criteria should be aligned with the risk management framework and tailored to the
specific purpose and scope of the activity considered.
Risk assessment
Risk assessment is the overall process of risk identification, risk analysis and risk
assessment.
Risk assessment should be carried out in a systematic, iterative and collaborative manner,
based on the knowledge and views of stakeholders. The best available information should
be used, supplemented by additional research if necessary.
Risk treatment
The purpose of risk treatment is to select and implement options to address risk.
Risk treatment involves an iterative process of:
V Formulate and select options for risk treatment;
V Plan and implement risk treatment;
V Evaluate the effectiveness of that treatment;
V Decide if the residual risk is acceptable;
• If not acceptable, perform additional treatment.
Risk Management Techniques
V Avoid. Risk is avoided when the organization refuses to accept it, that is, no type of exposure is
allowed.
V Reduce. When the risk cannot be avoided due to several operational difficulties, the alternative
may be to reduce it to the lowest possible level.
V Transfer. It is looking for support and sharing the risk with other controls or entities.
V Retain, Assume or Accept the risk. It is one of the most common methods of risk management,
it is the decision to accept the consequences of the occurrence of the event. It can be voluntary
or involuntary.
Risk Map or Map of
Risk Map or Heat Map
impact of
the events, controls,
effectiveness of controls, risk PREPARATION
IDENTIFY
residual, make IMPROVEMENT OF
maps of risks and adopt OPPORTUNITIES QUESTIONNAIRE
S EVALUATION
corrective measures.
QUALITATIVE INTERVIEWS
EVALUATION RESPONSIBLE
OF RISKS AREAS
AND
CONTROLS
Evaluation techniques:
Qualitative
Probability of occurrence
Impact
Evaluation techniques:
Quantitative Risk
Probability
(Frequency)
5 -Almost Safe
4 - Probable
EXTREME
Probability 3 -
Possible
HIGH
2 - Unlikely
HALF
1 - Rare
LOW
Impact
Concepts and
protection
relationship
according to ISO
Protection concepts and relationships
I identify Damage to the servers, Inadequate cabling, Obsolete technology, Inappropriate environmental conditions, Improper
1 Infrastructure
access to the servers.
Revelation of sensitive data, I observe that I have access to reports or information that is not in accordance with my
2 Data
responsibility, I identify that some reports do not include reliable information, Inadequate treatment of confidential data.
Failure to comply with guidelines, procedures and methodologies in the Department's operational processes. IT, failures in
3 Operations operational processes, Inadequate inventory control of IT assets, Non-sending or incorrect sending of regulatory compliance
files due to system failures.
Weaknesses in the performance and/or regularity of IT personnel, poor training, Loss of key IT personnel, High turnover of IT
4 HR
personnel who have access to sensitive data.
6 Security and Privacy Events that threaten the confidentiality, integrity and availability of information, information leak due to unprotected
information, devices without controls, Poor patch management.
Budget surpluses, low quality of deliverables, ineffective change control, Policies and procedures not defined, Applications
7 Change Management
with expired support.
8 Third Party Service Low level of service, inadequate support, Weaknesses in contracts, Poor management reports.
9 Regulatory framework Non-compliance with regulations, non-compliance with software license contracts.
10 Applications and Databases Unsupported applications, critical system failures, weaknesses in Database configurations.