There are many reasons why an organisation may want to implement an effective Information Security Management System (ISMS), and the vast majority choose to proceed to have this independently assessed for ISO 27001 certification to give their stakeholders, customers and employees confidence in their approach....
Operating during a pandemic: Using ISO to plan for business continuity
Activ can help you to control your business risks
Business continuity is about having a plan to deal with difficult situations and risk management, so your organisation can continue to function with as little disruption as possible. 2020 has certainly proven that unprecedented situations can arise and escalate in very quick succession.
To improve and maintain business continuity, it is important to understand all the potential pitfalls and have a plan in place to mitigate those risks. You should ensure that your organisation has applied risk identification methodology consistently and effectively. A structured way to address risk management is to regularly review Business Risks, Opportunities and Interested Parties register, which is a key requirement of many ISO standards.
ISO Standards and Risk Management
ISO standards address high-level business risk management in a four-step process, with the aim being to identify, evaluate, analyse, assess, and mitigate potential issues that could affect your organisation. This is broken down into:
- Identifying the risks (and opportunities)
- Planning your response
- Integrate the response into your ISO management system
- Evaluate effectiveness & reviewing
1. Identify your high-level business risks
There are two kinds of risk for organisations: internal and external.
Internal risk originates from within the organisation such as changes to the structure, resource, deficiencies or hierarchy.
External risk is from anything else, usually outside the control of the organisation. This can be legislation, financial instability, economic and geographical and as we have seen in 2020 global health factors.
The risk will need to be determined in the context of the specific industry and organisation.
To assist you with identifying your business risks it is useful to work through a Business External and Internal Issues Assessment, for example, or you may choose to use tools such as SWOT analysis, PESTLE analysis or similar.
Having such a document, or documents in place will also demonstrate to an external auditor that you have identified the issues that could potentially affect the performance of your business management system and comply with the requirements of Clause 4.1 of ISO 9001, ISO 14001, ISO 27001 and ISO 45001.
2. Plan your response
Once you have identified your risks, it’s key that you assess those risks and the level of impact they will have on your organisation.
An in-depth assessment is required:
Which stakeholders could be impacted by the risk – staff, suppliers, clients, shareholders?
How likely are the risks?
How disruptive will they be?
What resources can you dedicate to or what control measures do you have in place for mitigating these risks?
This assessment should be summarised in a Business Risks, Opportunities and Interested Parties Register.
The risks and opportunities you record, and the assessment of their significance, should provide useful inputs when formulating your Objectives and the Key Performance Indicators which you use to measure and monitor the performance of your processes with.
Having a robust Business Risks, Opportunities and Interested Parties Register will not only help you control and mitigate risk but will demonstrate your compliance with the requirements of the following clauses, for example:
- Clause 4.2 of ISO 9001, ISO 14001, ISO 27001 and ISO 45001
- Clause 5.1.1 of ISO 9001
- Clause 6.1 of ISO 9001
- Clause 6.1.1 of ISO 14001, ISO 27001 and ISO 45001
- Clause 6.1.3 of ISO 14001 and ISO 45001.
3. Integrate the response into your Business Management System
When considering how to mitigate your risks, you will no doubt already have policies and processes in place to control those risks. Where you haven’t, if the risk is deemed to be significant, processes should be developed or adapted to ensure they include risk-mitigating steps.
It’s important to identify, control and improve business-critical processes which protect your organisation and its employees; these processes should be regularly reviewed to ensure they remain current and effective.
4. Evaluate Effectiveness & Review
Your business risks should be regularly monitored and reviewed to ensure that plans and controls are current, stay relevant and are effective. Having regular reviews will identify any inefficiencies allowing you to rectify them quickly.
Therefore, it is key to have Objectives and Key Performance Indicators (KPIs) in place to measure and monitor the performance of your processes with, which will identify any issues at an early stage.
For instance, with the Objectives and KPIs Register in place it will help you demonstrate compliance with the clauses of the following standards:
- Clauses 5.1 and 6.2 of ISO 9001, ISO 14001, ISO 27001 and ISO 45001
- Clause 188.8.131.52 of ISO 9001
- Clause 9.1 of ISO 9001 and ISO 27001
- Clause 9.1.1 of ISO 14001 and ISO 45001
- Control A.12.1.3 of ISO 27001 (Annex A)
Easy Risk Management with ISO Management Software
Our Activ ISO Management software offers a variety of tools to help you map out, manage and monitor your risks, including a tool for building your Business Risks, Opportunities and Interested Parties Register, modules to help you control those risks such as Supplier Assessment and Legal Compliance and Document Control.
To learn more about how Activ can help you to control your business risks, book a demonstration.