22 lines
No EOL
1.5 KiB
Markdown
22 lines
No EOL
1.5 KiB
Markdown
# Risk Ownership
|
||
|
||
See also [Asset ownership](Asset%20ownership.md), [Control ownership](ISMS/Control%20ownership.md)
|
||
|
||
**ISO 27001 explicit mention of risk ownership:**
|
||
- C 6.1.2 c2: Risks should have an owner
|
||
- C 6.1.3 f: Risk owners’ must approve the risk treatment plan and accept residual risks
|
||
|
||
[Risk owners vs. asset owners in ISO 27001:2013 | Advisera](https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/)
|
||
|
||
> ISO 27001 noemt specifiek de verantwoordelijkheid voor het accepteren van restrisico’s (A 6.1.1)
|
||
>
|
||
|
||
|
||
|
||
> Eigenaarschap van een asset en de bijbehorende risico’s wordt meestal bij de ‘business’ gelegd, die persoon is nl. verantwoordelijk voor correcte omgang met ‘zijn’ assets. Eigenaarschap van technische maatregelen ligt in veel gevallen bij de IT-functie, maar kan bijv. ook onder Vendor management vallen. Andere voorbeelden zijn de maatregel Screening van nieuwe medewerkers (A 7.1.1), vaak is HR de eigenaar, en fysieke beveiliging (A 11), vaak bij een afdeling Facilitair.
|
||
|
||
Risk ownership can be separated from asset ownership, when the asset owner has no direct interest in controlling the risk, i.e. impact of the risk does not hurt the asset owner. For instance: the marketing manager may not experience a negative from a GDPR purpose limitation overtreding.
|
||
The risk ownership can then be assigned to a third party, for example a compliance officer.
|
||
|
||
|
||
See also [Transfer in Risk Treatment](../Literature%20notes/Transfer%20in%20Risk%20Treatment.md). |