fbpx

CIMSNex User Guides

System Guides

SOMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

ISO 18788 Clause 6.1.3 outlines the requirements for establishing a formal and documented communication and consultation process with both internal and external stakeholders during the risk assessment process within the Security Operations Management System (SOMS). This process ensures effective risk assessment and management by involving relevant parties. Here's an explanation of the key elements of this clause:

Clause 6.1.3 - Internal and External Risk Communication and Consultation:

  1. Formal and Documented Process: The organization is required to establish, implement, and maintain a formal and documented communication and consultation process. This process is designed to facilitate effective interaction with internal and external stakeholders during the risk assessment process.

  2. Understanding Operational Objectives and Client Interests: The process aims to ensure a clear understanding of operational objectives and the interests of the client. This includes comprehending the needs and expectations of the individuals, organizations, communities, or activities being protected by the security operations.

  3. Adequate Risk Identification and Communication: The process ensures that risks are adequately identified and effectively communicated. This involves the comprehensive assessment and transparent sharing of risks.

  4. Understanding Other Stakeholder Interests: The organization seeks to understand the interests of all relevant internal and external stakeholders beyond the client. This broader understanding is essential for addressing a wide range of concerns and perspectives.

  5. Communication of Risks and Treatments: The process includes the communication of identified risks and the treatments or mitigation strategies associated with these risks. This sharing of information helps stakeholders make informed decisions.

  6. Dependencies and Supply Chain Considerations: The process considers dependencies and linkages with subcontractors and throughout the supply chain. Understanding these relationships is critical for comprehensive risk assessment and management.

  7. Integration with Other Management Disciplines: The organization ensures that the security operations risk assessment process interfaces effectively with other management disciplines within the organization. This integration ensures alignment with broader organizational goals and strategies.

  8. Context and Parameters: The risk assessment process is conducted within the appropriate internal and external context and parameters relevant to the organization, its subcontractors, and the supply chain. This contextual understanding is vital for accurate risk assessment.

In summary, this clause underscores the importance of effective communication and consultation with stakeholders, both internal and external, throughout the risk assessment process. By involving relevant parties and considering a broad range of interests, the organization can enhance its risk assessment and management capabilities within the SOMS. The process should be formal, documented, and adaptable to the specific context and needs of the organization.

 

SOMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

ISO 18788 Clause 6.2.2 outlines the requirements for establishing, implementing, and maintaining programs to achieve security operations and risk treatment objectives within the Security Operations Management System (SOMS). Here's an explanation of the key elements of this clause:

Clause 6.2.2 - Achieving Security Operations and Risk Treatment Objectives:

  1. Establishment of Programs: The organization is required to establish, implement, and maintain programs that are designed to achieve its security operations and risk treatment objectives. These programs should be tailored to control and treat risks associated with the organization's operations, subcontractors, and supply chain.

  2. Optimization and Prioritization: The programs should be optimized and prioritized based on the identified risks. This means that the organization should focus its resources on addressing the most critical and significant risks first.

  3. Formal and Documented Risk Treatment Process: The organization must establish, implement, and maintain a formal and documented risk treatment process. This process should consider various strategies for managing risks, including:

    • a) Removing the source of risk when possible.

    • b) Reducing the likelihood of an event and its consequences.

    • c) Mitigating harmful consequences.

    • d) Sharing the risk with other parties, including through risk insurance.

    • e) Spreading the risk across assets and functions.

    • f) Accepting the risk or pursuing opportunities through informed decision-making.

    • g) Avoiding or temporarily halting activities that pose a risk.

  4. Responsibility of Top Management: Top management is responsible for key aspects of the risk treatment process, including:

    • a) Assessing the benefits and costs of different risk treatment options to determine whether risks should be removed, reduced, or retained.

    • b) Evaluating the impact of security operations programs to identify any new risks introduced.

    • c) Periodically reviewing the risk treatment process to ensure it remains effective and reflects changes in the external environment, including legal, regulatory, and other requirements, as well as changes within the organization related to policies, facilities, information management systems, activities, functions, products, services, and the supply chain.

In summary, this clause emphasizes the need for structured programs to address security operations and risk treatment objectives effectively. It also underscores the importance of a documented risk treatment process that considers various strategies for managing risks. Top management plays a crucial role in assessing options, evaluating program impacts, and ensuring that risk treatment remains aligned with changing requirements and organizational developments.

 

SOMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

ISO 18788 Clause 7.1.2.2 focuses on the organizational structure of the Security Operations Management System (SOMS). It outlines the requirements for defining roles, responsibilities, authorities, and accountabilities within the organization's management structure. Here's an explanation of the key elements of this clause:

Clause 7.1.2.2 - Organizational Structure:

  1. Clearly Defined Management Structure: The organization is required to have a clearly defined management structure. This structure should identify roles, responsibilities, authorities, and accountabilities for both its operations and services related to security operations.

  2. Documentation of Organizational Structure: The organization must document its organizational structure, which includes details such as the duties, responsibilities, and authorities of management personnel. This documentation provides clarity and transparency within the organization.

  3. Legal Entity Definition: If the organization is a defined part of a legal entity (e.g., a subsidiary or division of a larger corporation), it should define and document this relationship. This includes clarifying how the organization fits into the legal entity's overall structure and governance.

  4. Joint Ventures and Partnering Arrangements: If there are any joint venture or partnering arrangements within the scope of the SOMS, these should be defined and documented. This ensures that the organization has a clear understanding of how such arrangements relate to its security operations.

In summary, this clause emphasizes the importance of having a well-defined organizational structure within the SOMS. By documenting roles, responsibilities, authorities, and accountabilities, the organization ensures that everyone understands their respective roles in security operations. Additionally, if the organization is part of a larger legal entity or has joint venture/partnering arrangements, these relationships should be clearly defined and documented to maintain transparency and governance.

 

USER GUIDES

Image
Empowering organizations to achieve their performance objectives through a unique blend of consulting expertise and technology-driven solutions.

More Links

FEATURED SERVICES

Performance Improvement Consulting

ISO Management Systems Training

Customized Consulting Services

Technology Integration Solutions

 

ISO Compliance Software
Integrate . Mantain . Comply

Search