+ Sidebar

Revised ISO 31000 DIS Seeks to Simplify Risk Management

The revision of ISO 31000:2009, Risk management –…

The revision of ISO 31000:2009, Risk management – Principles and guidelines has progressed to Draft International Standard (DIS) stage, with the draft now available for public comment.

ISO 31000 provides guidelines on the benefits and values of effective and efficient risk management and aims to help organizations to better understand and address uncertainties.

The revision seeks to simplify the standard using simple language to make risk management easy to understand. To do so, the terminology of ISO 31000 has been reduced to simple concepts and some terms have been moved to ISO Guide 73, Risk management – Vocabulary, which deals specifically with risk management terminology. This is intended to be read alongside ISO 31000.

Jason Brown, chair of ISO technical committee ISO/TC 262, Risk management, that developed the standard said, “The message our group would like to pass on to the reader of the DIS is to critically assess if the current draft can provide the guidance required while remaining relevant to all organizations in all countries.

“It is important to keep in mind that we are not drafting an American or European standard, a public or financial services standard, but much rather a generic international standard,” Brown said.

The draft also includes improvements such as the importance of human and cultural factors in achieving an organization’s objectives and an emphasis on ingraining risk management in the decision-making process. Despite these changes, the overall message of ISO 31000 of integrating the management of risk into a strategic and operational management system remains the same.

The next step in the process is to finalize the revision work to reach the Final Draft International Standard stage. The finalized version of ISO 31000 is expected to be published by the end of the year or early 2018.

The post Revised ISO 31000 DIS Seeks to Simplify Risk Management appeared first on The Auditor.

Security Expert Expects Rise in Security Certifications

Jeff Slotnick has been thinking…

Jeff Slotnick has been thinking about, analyzing, and predicting the future of the security industry for more than 30 years. In that time, he’s seen the industry shift into a significantly more important role; a change he saw coming while working as a senior enlisted person in the United States Army Engineer Corp.

“I’ve always been an evangelist for this community,” Slotnick observes. “The more people know about how risk assessment can help them, can help us run companies better and do things more safely, the more they become believers themselves.”

Slotnick, certified protection professional (CPP) and physical security professional (PSP), is the president of Setracon Inc. and chief security officer at OR3M, based in Washington state. He’s traveled the world consulting with organizations about their risk security profiles, and the predictions he made decades ago about the evolution of standardization in the risk assessment profession are fast becoming a reality. Compliance with ISO 31000 and ISO/PAS 28000 have become much more sought after in recent years. According to Slotnick, this is a change he saw coming years ago.

“It’s the influence of technology,” he says. “ISO 31000 and similar standards help organizations grasp an understanding of their culture, not just their data. It enables them to use all the data they collect and all the devices they have—which produce an immense amount of data—to protect themselves, their employees, customers, and businesses. It’s a very exciting time.”

The ISO 31000 family of standards includes ISO 3100:2009—Principles and Guidelines on Implementation, ISO/IEC 31010:2009—Risk Management—Risk Assessment Techniques, and ISO Guide 73:2009—Risk Management—Vocabulary. Although the standards weren’t developed with the intention for certification, Slotnick expects their popularity will increase significantly in coming years as more organizations recognize the potential of the standards to make them more secure.

“I find 60 percent of this job is education,” he says. “People don’t know what they don’t know. Simply capturing data in an audit, you’re creating a very clear value statement. I can show a company how identifying and managing risk helps them avoid problems in the future. Knowing what those dangers are and being able to create a plan to prevent or eliminate them is a very valuable skill and one that more people should learn.”

Teaching that skill is something that Slotnick is very familiar with. He serves as a faculty advisor with the University of Phoenix, where he also takes classes to continue his learning. In his roles as consultant, teacher, and student, he sees the risk assessment profession moving toward full enterprise security risk management (ESRM) and ultimately enterprise risk management (ERM). This is a shift that could have dramatic consequences to the way organizations staff their executive boards.

“This is an industry in transition,” he observes. “Traditionally, we’ve seen risk as a physical thing, something to address with physical means. Now, we’re seeing organizations meld their risk profile with their OHSAS, environmental, financial, customer and employee health, cyber, and physical risk efforts. All risk is shared. When there is risk to one part of an organization, there is going to be risk exposure to many other parts. That’s an exciting thing, and it’s been a long time coming.”

The post Security Expert Expects Rise in Security Certifications appeared first on The Auditor.