Risk Management in
ISO 27001:2022
Risk management is a fundamental process required by ISO 27001. ISMS Section 6 addresses planning a risk management process (risks and opportunities, risk assessment, risk treatment, and information security risk management). ISMS Section 8 addresses implementation of risk management planning, including risk assessment activities, risk treatment, and risk reporting.
Risk planning is addressed in ISO 9001. However, it is only addressed in QMS Section 6, not in Section 8. For QMS, an organization only needs to consider risk issues when planning its QMS. There is no requirement for execution of risk assessment, risk treatment, risk reporting, etc.
To add ISMS to an existing QMS, an organization must implement a full, robust, and active risk management process. That can be achieved by implementing the Standards-Stores risk management plan and supporting work products, including a risk register. The risk management process is documented by:
- P-600 (Risk Management Plan)
- F-800 (Risk Register)
- WI-800 (Risk Register Work Instruction)
The Risk Management Plan explains risk management implementation within an organization. If you elect to alter the Risk Management Plan, consider possible impacts upon related documents of F-800 (Risk Register) and WI-800 (Risk Register Work Instruction).
By implementing the Risk Register (F-800), and following the Risk Management Plan, your organization will conform to ISO 27001 Section 6 (Planning) and Section 8 (Operation).
WI-800 (Risk Register Work Instruction) provides step-by-step instructions on how to use the Risk Register (F-800).
If your existing QMS has a risk management process, integrate the existing QMS risk management activities and work products into your new ISMS risk management process.
Product: ISO 27001:2022 ISMS for Existing QMS