A Recommended Course of Action for Information Security & Risk Management

A Recommended Course of Action for Information Security & Risk Management

This blog post explores a recommended course of action for implementing information security risk management within an organization, drawing insights from ISO 27002. keywords:

Information security and risk management are vital to the safety of organizations. A recommended normal course of implementing security risk management and information security follows. Starting with security risk management and then discussing information security within an organization. The Organization's information security risk assessment and information security policy have a direct relationship as Layton (2016) described.

Any risk evaluation, including information security, aims to provide the Organization's decision-makers with the information required to understand the issues that can adversely affect operations and make informed judgments concerning what actions are needed to reduce the Organization's risk. Usually, the information security controls and safeguards must be designed and implemented due to a formal risk assessment, as Layton (2016) points out. The information security risk assessment and the information security program must connect to the business goals and objectives of the Organization. Technology can assist in helping organizations lower their information security risks; however, information security is one part of the risk that organizational leaders factor into their overall risk management strategy. That is why information security risk assessment and the information security program must be tied or connected to the business objectives and goals of the Organization.

The International Organization for Standardization (ISO), a standards body, produced ISO 27002, a discussion about information security guidelines and assists in implementing a course of action for the management of information security and risk management as described by Peltier (2013). The 27002 document, as Layton (2016) points out has quickly become a best practice standard and point of reference for measuring information security worldwide.

ISO 27002 includes four essential success factors directly related to establishing information security at organizations, as Peltier (2013) described. First, organizational management must support the information, security, and risk management plan and team. Second, a methodology or framework will need to be rolled out, maintained, monitored, and improved to fit in with the culture of the Organization. The third success factor is to be sure management approves a budget to support the implementation plan. As Peltier (2013) points out, the fourth and last success factor is to implement and use a system to measure information security management performance.

There are six indirectly related success factors outlined in the ISO 27002 document for organizing the information security and risk management area as described by Peltier (2013). The first is that business objectives, security policy, purpose, and activities need to be in sync. Risk management and assessment along with security requirements must be well understood is the second indirect success factor. The third is that the employees, managers any other organizations and parties must have an awareness of the information security initiatives. The fourth indirect achievement element is that the managers and staff and other agencies must receive the information security policies, standards, and guidance from the security team.

The fifth achievement to reach is the successful communication of security awareness to the employees via seminars, training or private speaking engagement by a security expert. The final or sixth success factor, as Peltier (2013) describes, is having an efficient and effective way to handle the process of security incident management within the Organization.

The Internal Information Security Organization is key to protecting information assets, and its function is to figure out how to manage information security effectively, as Peltier (2013) describes. The team should cover all aspects of security, such as information security, coordination, and communications of information security issues, and roles and responsibilities of the security team. The team should be provided guidance on using nondisclosure or confidentiality agreements when dealing with external organizations and consultants, independent review of security, and identifying circumstances around third parties having access to organizations' information.

Management support as Peltier (2013) is key to a well-delivered information security and risk plan. The security team needs active support from the management team, and they must provide direction and commitment and explicitly assign information security responsibilities. Management must give observable, active, dedicated, and outcome-oriented support. Management support needs to be obvious to team members across the Organization so that they understand the importance of security. The ISO 27002 document, Control 6.1.1, titled Management Commitment to Information Security, outlines the significance of senior management supporting the information security program as described by Layton (2016). This control advises that management participation is as high in the Organization as that of the board of directors and requires that executive management and the board of directors take an active role in information security.

Information Security Coordination, described by Peltier (2013), is discussed in ISO 27002. It details the importance of coordinating information security with other members of the Organization and establishing communications with external authorities, special interest groups, and specialists that could help the Organization. The organization's contact with authorities could include business groups, US Cert and incident response authority, security consulting organizations, or Federal, State, or local law enforcement officials. Information security requires individuals to take charge and their activities to be coordinated and driven by management, as Layton (2016) describes. Outside consultants or specialists are sometimes helpful for reviewing internal systems with a different view and highlighting issues that internal staff may have missed.

Ten direct and indirect success factors, as identified in the ISO 27002 standard described by Peltier (2013), can progress an organization's ability to provide information security, protect information assets, and manage and lower security risks.

The security team, having strong backing from the management, enables them to ensure the security management's tasks get identified and implemented, and any implemented activities are monitored for effectiveness and are adequate for the Organization's needs are all recommended as a course of action to support of risk management and information security.


Layton, T. P. (2016). Information Security [VitalSource Bookshelf version]. Retrieved from https://www.routledge.com/Information-Security-Design-Implementation-Measurement-and-Compliance/Layton/p/book/9780849370878

Peltier, T. R. (2013). Information Security Fundamentals, Second Edition, 2nd Edition [VitalSource Bookshelf version]. Retrieved from https://www.routledge.com/Information-Security-Fundamentals/Peltier/p/book/9781439810620

Posts in this series