Professional Documents
Culture Documents
(MRTI) Week 07
(MRTI) Week 07
IT RISK MANAGEMENT
COMPREHEND FRAMEWORKS IN RISK MANAGEMENT
Lecturer:
Hanim Maria Astuti, M.Sc.
Eko Wahyu Tyas, MBA.
Information Systems Department
Institut Teknologi Sepuluh Nopember
Identify and assess risks related to the use of IT in an
organization
Page 2
Independent Learning:
ISO31000
ERM COSO
ISO 27001
Page 3
Framework vs.
Standards
Page 4
Framework: What is
Page 5
Standard: What is
Page 6
Their position
Page 7
Secara berkelompok (Group Work), pahami konsep
ISO31000. Untuk memahami konsep, jawablah
berdasarkan aspek what, why, when, how.
Durasi: 30 menit.
Kumpulkan tugas Anda dalam bentuk PDF di
\\10.126.10.21\Kuliah Share\MRTI GENAP 2016\KELAS C
Username/password: kuliahshare/kuliahshare4321
Page 8
Secara berkelompok (Group Work), pahami konsep ERM
COSO. Untuk memahami konsep, jawablah berdasarkan
aspek what, why, when, how.
Durasi: 30 menit.
Kumpulkan tugas Anda dalam bentuk PDF di
\\10.126.10.21\Kuliah Share\MRTI GENAP 2016\KELAS C
Username/password: kuliahshare/kuliahshare4321
Page 9
Secara berkelompok (Group Work), pahami konsep ISO
27001. Untuk memahami konsep, jawablah berdasarkan
aspek what, why, when, how.
Durasi: 30 menit.
Kumpulkan tugas Anda dalam bentuk PDF di
\\10.126.10.21\Kuliah Share\MRTI GENAP 2016\KELAS C
Username/password: kuliahshare/kuliahshare4321
Page 10
Common Risk
Management Frameworks
Page 11
At a glance
Page 12
There are several frameworks commonly used in the
practice of managing risks.
The common frameworks:
ISO 31000
ERM COSO
ISO 27001
Page 13
Consists of the principles, framework and process for
managing risks.
Page 14
Stage one: Establishing the context
The most important deliverable from this stage is
establishing the objectives and scope of the risk
assessment.
Stage two: Risk assessment
The risk assessment phase has three goals: risk
identification, risk analysis and risk evaluation.
Stage three: Risk treatment
More commonly referred to as the risk management
stage, the organization implements controls designed
to reduce risk, assess the effectiveness of those
controls and implement additional controls on an as-
needed basis.
Page 15
Page 16
COSO Enterprise Risk Management-Integrated
Framework was initiated in 2004.
This framework is quite well-known and used globally
by many institutions.
Like with ISO 31000, this framework also considers the
blend of company‟s day-to-day activities (strategic,
operations, reporting and compliance) with the
practice of managing risks.
It consists of 8 main components.
Page 17
Page 18
Entity objectives can be viewed in the context of
four categories:
Strategic
Operations
Reporting
Compliance
Page 19
ERM considers activities at all levels of the
organization:
Enterprise-level
Division or subsidiary
Business unit processes
Page 20
Page 21
The ISO 27000 family of standards helps
organizations keep information assets secure.
ISO/IEC 27001 is the best-known standard in the
family providing requirements for an information
security management system (ISMS).
An ISMS is a systematic approach to managing
sensitive company information so that it remains
secure. It includes people, processes and IT
systems by applying a risk management process.
It can help small, medium and large businesses
in any sector keep information assets secure.
Page 22
ISO/IEC 27001:2013 has the following sections:
0 Introduction - the standard uses a process approach.
1 Scope - it specifies generic ISMS requirements suitable for organizations of
any type, size or nature.
2 Normative references - only ISO/IEC 27000 is considered absolutely
essential to users of ‟27001: the remaining ISO27k standards are optional.
3 Terms and definitions - a brief, formalized glossary, soon to be
superseded by ISO/IEC 27000.
4 Context of the organization - understanding the organizational context,
the needs and expectations of „interested parties‟, and defining the scope
of the ISMS. Section 4.4 states very plainly that “The organization shall
establish, implement, maintain and continually improve” a compliant ISMS.
5 Leadership - top management must demonstrate leadership and
commitment to the ISMS, mandate policy, and assign information security
roles, responsibilities and authorities.
6 Planning - outlines the process to identify, analyze and plan to treat
information security risks, and clarify the objectives of information security.
7 Support - adequate, competent resources must be assigned, awareness
raised, documentation prepared and controlled.
Page 23
8 Operation - a bit more detail about assessing and treating information
security risks, managing changes, and documenting things (partly so that
they can be audited by the certification auditors).
9 Performance evaluation - monitor, measure, analyze and
evaluate/audit/review the information security controls, processes and
management system in order to make systematic improvements where
appropriate.
10 Improvement - address the findings of audits and reviews (e.g.
nonconformities and corrective actions), make continual refinements to the
ISMS
Annex A Reference control objectives and controls - little more in fact
than a list of titles of the control sections in ISO/IEC 27002. The annex is
„normative‟, implying that certified organizations are expected to use it,
but they are free to deviate from or supplement it in order to address their
particular information security risks.
Bibliography - points readers to five related standards, plus part 1 of the
ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is
identified in the body of the standard as a normative (i.e. essential)
standard and there are several references to ISO 31000 on risk management.
Page 24
Page 25