The Effect of Organisational Structure and Culture on Information Security Risk Processes

Risk sound judgement is regarded as an integral part of whatever reading security attention manikin. This is because an information security focussing framework exists to enable an organisation to maximise the use of its information within a level of risk that is acceptable to the organisation. In information security counsel literature risk assessment processes are presented as pivotal to the success of the information security management framework.Risk assessment is used to take a shit the ISMS, determine the information security risks that an organisation faces, and identify the security counter stones throws undeniable to reduce the risks to an appropriate level. The emphasis is on an appropriate response to the measure of risk where appropriate is considered in the overall context of the organisation. Risk assessment is enmeshed with additional organisational processes that construct what is termed an Information Security Management transcription (ISMS). An informatio n security management system is primarily described in the information security management standard ISO 27001 9, clauses 4-8.It is an abstracted organisational model make in information security management literature which articulates a systematised visit of the information security management functions and processes described in much of the information security management literature. The role of an Information Security Management ashes (ISMS) is to ensure that adequate controls are established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and channel objectives of an organisation are met. 8, p. viii.In this regard, an ISMS is comprised of logical management functions and management processes. The race between risk assessment and the other information security management processes is described in Figure One which shows that the processes interact in a continuous loop, termed the Plan-Do-Check-Act cycle (PDCA) or Deming Wh eel in security management literature. The dominating decision making processes are risk based and wee-wee some form of risk assessment or evaluation. However the period to which the process is a technical, standardised one, is highly dependent on the organisational context, as this paper discusses.