Abstract

Risk management is very important for any industry to reduce risk or threat at any department of
the company. Managing risk is a plan of challenge for the company, which must face threats
increasingly complex and diverse to reduce the threats in the company. In 2009, introduced the
standard of the International Organization for Standardization (ISO) 31000 is intended to help
organizations to manage risk management systems.
In this project I am going to discuss about ISO 31000:2009 how to implement ISO 31000:2009
in an IT organization.

KEYWORDS: Risk Management, ISO 31000:2009, Information Technology, Risk, Threat.

Introduction
Any organization regardless of its type and size may face external and internal difficulties in
achieving their organization objective. These difficulties are known as “RISK”. All the process
that is happened in an organization carries some amount of risk. Any enterprise can handle its
risk by identifying, analyzing and evaluating risk. Risk can be changed by risk treatment process.
Throughout risk assessment process consultant communicates with the stakeholders to monitor
and review the risk assessment processes.

All the organizations take some measures to reduce the risk but ISO uses number of principles to
manage the risk in the effective manner. ISO recommends a process to the enterprise that
develops, implement and continuously improve the enterprise culture, governance, management,
processes and values.

Risk management process can be applied to any specific process of the enterprise or to all overall
enterprise.

Benefits for implement risk management in the enterprise

 Objectives can be achieved more easily

 Threats and vulnerabilities can be identified more seasily.
 Mandatory and optional reporting improves.
 Help in achieving the stakeholders trust and confidence.
 Minimum losses
 Improve productive
 Better utilization of resources.

Scope

It provides generic principles and guidelines to implement risk management in an IT

Organization.

Objective

The objective of risk based implementation in IT Organization is to promote to achieve the basic
objectives of an Organization. The implementation strategy in IT is based on the components,
which together will ensure strengthening and economic situation of the IT Organization with the
preservation of its credibility with its client and stakeholders.

Context of the organization

As per the IT, we need to implement the internal and external context.
 1.1. Internal Context
Director
Board of Directors
CEO
Employee (regular & contractual both)
Policies of the organization, which may include the following:
o Information Security Policy
o Asset Management Policy
o Remote Access Policy
o Internet Access Policy
o Network Security Policy
o Backup Policy
o Change Management Policy
o Password Management Policy

1.2. External Context

Suppliers (Hardware, Stationary & Software Suppliers)
Facility Management Services
Other Companies
Government Policies
Local Government Bodies

Implementers to do list
This list consists of documents; clauses with questions for the implementer to do step by step risk
assessment process.

Risk assessment
Scanning the external and internal environment and context and should be enterprise wide,
holistic, integrated and strategic in approach. For an IT Organization, some categories of risk
to be assessed would include Strategic, software, hardware, Financial, Information
technology, Economic, Policy, Funding, stakeholders, Corporate Governance, Reputation,
Regulatory, Business Continuity/Disaster recovery risks. Since we are implementing ISO
31000 in IT organization we would be concerned with the IT and other assets for effective
risks management.

Risk assessment involve risk identification, risk analysis, risk evaluation.

1.3. Risk Identification

Identify the risk in line with the procedures and policy as well as assess its potential impact
on the bank by determining the source, impact and its cause.

Undertake a risk assessment and identification of all major risks that might prevent from
achieving their objectives.

Risk analyses
Risk analysis is the review of the risks associated with a particular event or action. It is
applied to projects, information technology, security issues and any action where risks may
be analyzed on a quantitative and qualitative basis. Risk analysis is a component of risk
management. Measure risk in terms of consequences (impact) and likelihood (probability).

Risk evaluation

The reason behind risk evaluation is to help in decision making on the result of risk analysis
about which risk is to be treated and priority of risk treatment implementation. Assess each risk’s
importance to the bank by prioritizing the risks on basis of the risk criteria

Risk treatment
Risk treatment is a risk modification process. Select and implement one or more treatment options.
You may choose between avoiding the risk, reducing the risk, removing the source of the risk,
modifying the consequences, changing the probabilities, sharing the risk with others, simply
retaining a risk. If a treatment on risk is done there is control applied on risk or modification in
the existing control.

Mitigation: It is the commonly considered risk management policy. It includes the fixing the
loophole or providing some type of alternative control to reduce the likelihood and impact of the
risk.

Transfer: transfer is the process in It organization transfers its risk to any other organization. For
Example insurance company.
Acceptance: It the process in which organization accept the risk. for example risk that has high
cost to mitigate are generally accepted.

Monitoring and review

Monitor and review process is done to check the important factors that affect the efficiency and
effectiveness of the organization. it includes learn lessons from the events that are happened in
the past. It finds the new risk in the business. By monitoring and review process we can regular
check the process of the organization which is also known as internal audit.
Conclusion

In the present scenario the risk management has become a necessity. Every organization
handling information is investing in its security and thus they comply with risk assessment.
The risk based assessment enables the responsible person to manage the information and
apply consistent risk measurements, which in turn also helps achieve the objective of the
organization and build the trust among the shareholders.

The risk based assessment identifies and addresses the risk faced by the organization in
handling assets and thus reduces the level of an impact. It also assures the higher management
that in case of an adverse event the risk to an asset is covered.

This report presents the implementation of risk based assessment in an IT organization. The
step by step procedure follows by risk identification of the asset in the organization, then
performing a risk analysis by following a quantitative approach and finding the exposure
factor for an asset to a risk. Based on the results of risk analysis, risk evaluation is performed
by determining the level (High, Medium, low) of each risk. Finally perform the risk treatment
by implementing the controls to mitigate, transfer, treat and avoid the risk.