The 2013 revision of ISO 27001 introduced a new concept: the risk owner. Since this concept brought quite a lot of confusion with information security practitioners, here’s an explanation of what the risk owner is, and whether the concept of asset owner from the old 2005 revision of ISO 27001 is still valid.
What is the asset owner, according to ISO 27001?
Both the old 2005 and new 2013 revisions of ISO 27001 have the concept of asset owner as a control in Annex A – this is basically nothing but determining who is responsible for each asset in your company. In terms of information security, assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.
Why is this asset ownership important? Because if no one is responsible for an asset then no one will take care of it – only by strictly defining who is responsible for each document, each server, each external service, etc. will you make sure that each of those assets is properly protected and managed; not having owners of the assets would mean anarchy.
Assed-based risk assessment
Where the 2005 and 2013 revisions are different is that 2005 required the identification of asset owners both during the risk assessment process and as control A.7.1.2 in Annex A, whereas the 2013 revision doesn’t have this requirement in the risk assessment process and only as control A.8.1.2 in Annex A.
What’s more, the 2013 revision does not require so-called asset-based risk assessment, which would identify the risks based on assets, threats and vulnerabilities – according to ISO27001:2013, your company can identify risks using some other (less complicated) method.
However, my opinion is that asset-based risk assessment will continue to be a dominant method for risk assessment – especially if you choose to apply controls A.8.1.1 (identification of assets) and A.8.1.2 (assigning the owners to those assets). If you do list those assets, then you have already done a good part of asset-based risk assessment; in such case, even in the 2013 revision it makes sense to list assets (and their owners) during the risk assessment process.
What is the risk owner according to ISO 27001?
So then, what is the risk owner? ISO 27000:2014 defines the risk owner as a “person or entity with the accountability and authority to manage a risk.” Basically, this is a person who is both interested in resolving a risk, and positioned highly enough in the organization to do something about it.
So, for instance, an asset owner of a server might be the IT administrator, and a risk owner for risks related to this server might be his boss, the head of the IT department. The IT administrator will manage the server on a day-to-day basis, while the head of the IT department will take care of, e.g., investing in better protection, providing training to the IT administrator, etc.
In my opinion, the concept of risk ownership was introduced because very often, the asset owners did not have enough authority to resolve potential risks; besides, this concept also exists in ISO 31000, so this way ISO 27001:2013 was made compliant with ISO 31000.
How to choose the risk owners
When choosing risk owners, you should aim for someone who is closely related to processes and operations where the risks have been identified – it must be someone who will feel the “pain” if the risks materialize – that is, someone who is very much interested in preventing such risks from happening. However, this person must be also positioned highly enough so that his or her voice would be heard among the decision makers, because without obtaining the resources this task would be impossible. So, it seems to me that mid-level managers are often the best candidates for risk owners.
Even though the standard allows an entity to be a risk owner (e.g., a department or a business unit), I would not advise it – it is always better to have one individual who is in charge of resolving a problem than to have a group of people. For instance, if the head of the IT department is responsible for resolving the risk, it will be done much more quickly than if you had the whole IT department responsible for the same risk.
When it comes to appointing the risk owners, it is best done through the Risk treatment plan, since this is an action plan on how to resolve the risks – you should simply define for each risk who is responsible for implementing the controls. Read also Risk Treatment Plan and risk treatment process – What’s the difference?
To conclude, companies should determine both risk owners and asset owners when implementing ISO 27001 – the easiest way would be to determine them during the risk assessment process. And, by doing this properly, the implementation and operation of their information security will be a much easier job.
Click here to register for a free webinar The basics of risk assessment and treatment according to ISO 27001.