In our approach to that uncertain future we are going to want to identify risk. Risk management is about indemnifying and then making appropriate business decisions as to what to do about those risks. You could choose to accept the risk and do nothing, or to try to reduce the risk or to remove the risk entirely. Not everything needs to be prevented but risk management wants you to acknowledge the risk and have taken a positive action to address it. Those known knowns, unknown unknowns, and known unknowns. ISO 270001 Risk management is about setting the best course of action to take for those elements of uncertainty. We cannot plan for everything but we can have a policy and approach about how we deal with it.
Risk is all about the uncertainty that surrounds future events and the outcomes. It allows the business to decide what controls to put in place and to what level. It is a sensible approach to information security. I like a risk based management approach to information security.
What is the Purpose of the ISO 27001 Risk Management Policy?.ISO 27001 Risk Management Policy Template.ISO 27001 Risk Management Policy In Depth.What is an ISO 27001 Risk Management Policy?.
