ISO 18788 Clause 6.2.2 outlines the requirements for establishing, implementing, and maintaining programs to achieve security operations and risk treatment objectives within the Security Operations Management System (SOMS). Here's an explanation of the key elements of this clause:
Clause 6.2.2 - Achieving Security Operations and Risk Treatment Objectives:
-
Establishment of Programs: The organization is required to establish, implement, and maintain programs that are designed to achieve its security operations and risk treatment objectives. These programs should be tailored to control and treat risks associated with the organization's operations, subcontractors, and supply chain.
-
Optimization and Prioritization: The programs should be optimized and prioritized based on the identified risks. This means that the organization should focus its resources on addressing the most critical and significant risks first.
-
Formal and Documented Risk Treatment Process: The organization must establish, implement, and maintain a formal and documented risk treatment process. This process should consider various strategies for managing risks, including:
-
a) Removing the source of risk when possible.
-
b) Reducing the likelihood of an event and its consequences.
-
c) Mitigating harmful consequences.
-
d) Sharing the risk with other parties, including through risk insurance.
-
e) Spreading the risk across assets and functions.
-
f) Accepting the risk or pursuing opportunities through informed decision-making.
-
g) Avoiding or temporarily halting activities that pose a risk.
-
Responsibility of Top Management: Top management is responsible for key aspects of the risk treatment process, including:
-
a) Assessing the benefits and costs of different risk treatment options to determine whether risks should be removed, reduced, or retained.
-
b) Evaluating the impact of security operations programs to identify any new risks introduced.
-
c) Periodically reviewing the risk treatment process to ensure it remains effective and reflects changes in the external environment, including legal, regulatory, and other requirements, as well as changes within the organization related to policies, facilities, information management systems, activities, functions, products, services, and the supply chain.
In summary, this clause emphasizes the need for structured programs to address security operations and risk treatment objectives effectively. It also underscores the importance of a documented risk treatment process that considers various strategies for managing risks. Top management plays a crucial role in assessing options, evaluating program impacts, and ensuring that risk treatment remains aligned with changing requirements and organizational developments.
