(conforme norma ISO/IEC ). FERRAMENTAS. &. TÉCNICAS. ( conforme. ISO/IEC ). PROCESSO DE AVALIAÇÃO DE RISCOS (conforme ISO. ISO/IEC é uma norma da família de gestão de risco criada em pela International . Imprimir/exportar. Criar um livro · Descarregar como PDF · Versão para impressão. Espanol PDF Free Download abnt nbr iso pdf free the 6th Tenho a satisfação de apresentar a versão em português da norma internacional .
|Language:||English, Spanish, Dutch|
|Distribution:||Free* [*Registration needed]|
20 fev. By submitting your contact information, you consent to receive communication from Prezi containing information on Prezi's products. You can. Risk Management ISO pdf ISO ; ISO/IEC & ISO .. a versão em português da norma internacional ISO/IEC para a seleção de. ISO/IEC will replace the version of the standard and it is can also be downloaded (in PDF format) at: acissymhalfmac.ml
Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion. Accept the risk — if, for instance, the cost for mitigating that risk would be higher that the damage itself. This is where you need to get creative — how to decrease the risks with minimum investment.
It would be the easiest if your budget was unlimited, but that is never going to happen. And I must tell you that unfortunately your management is right — it is possible to achieve the same result with less money — you only need to figure out how. Not only for the auditors, but you may want to check yourself these results in a year or two. Statement of Applicability This document actually shows the security profile of your company — based on the results of the risk treatment you need to list all the controls you have implemented, why you have implemented them and how.
This document is also very important because the certification auditor will use it as the main guideline for the audit. Risk Treatment Plan This is the step where you have to move from theory to practice. This is the purpose of Risk Treatment Plan — to define exactly who is going to implement each control, in which timeframe, with which budget, etc.
The point is — ISO forces you to make this journey in a systematic way. Views Total views.
Actions Shares. Embeds 0 No embeds. No notes for slide. TMB Voting begins on: Positive votes shall not be accompanied by comments.
Negative votes shall be accompanied by the relevant technical reasons. The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non- governmental organizations liaising with the IEC also participate in this preparation.
IEC collaborates closely with the International Organization for Standardization ISO in accordance with conditions determined by agreement between the two organizations. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
Use of the referenced publications is indispensable for the correct application of this publication. IEC shall not be held responsible for identifying any or all such patent rights. The text of this standard is based on the following documents: These objectives may relate to a range of the organization's activities, from strategic initiatives to its operations, processes and projects, and be reflected in terms of societal, environmental, technological, safety and security outcomes, commercial, financial and economic measures, as well as social, cultural, political and reputation impacts.
All activities of an organization involve risks that should be managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances intended or unintended and their effects on agreed objectives. Risk assessment is that part of risk management which provides a structured process that identifies how objectives may be affected, and analyses the risk in term of consequences and their probabilities before deciding on whether further treatment is required.
Risk assessment attempts to answer the following fundamental questions: Is the level of risk tolerable or acceptable and does it require further treatment? This standard is intended to reflect current good practices in selection and utilization of risk assessment techniques, and does not refer to new or evolving concepts which have not reached a satisfactory level of professional consensus.
This standard is general in nature, so that it may give guidance across many industries and types of system. There may be more specific standards in existence within these industries that establish preferred methodologies and levels of assessment for particular applications. If these standards are in harmony with this standard, the specific standards will generally be sufficient.
Risk assessment carried out in accordance with this standard contributes to other risk management activities. The application of a range of techniques is introduced, with specific references to other international standards where the concept and application of techniques are described in greater detail. This standard is not intended for certification, regulatory or contractual use.
This standard does not provide specific criteria for identifying the need for risk analysis, nor does it specify the type of risk analysis method that is required for a particular application. This standard does not refer to all techniques, and omission of a technique from this standard does not mean it is not valid.
The fact that a method is applicable to a particular circumstance does not mean that the method should necessarily be applied. NOTE This standard does not deal specifically with safety.
It is a generic risk management standard and any references to safety are purely of an informative nature. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document including any amendments applies. Some of the principal benefits of performing risk assessment include: A risk management framework provides the policies, procedures and organizational arrangements that will embed risk management throughout the organization at all levels.
As part of this framework, the organization should have a policy or strategy for deciding when and how risks should be assessed. Stakeholders should contribute to the interfacing of the risk assessment process with other management disciplines, including change management, project and programme management, and also financial management.
Establishing the context includes considering internal and external parameters relevant to the organization as a whole, as well as the background to the particular risks being assessed. In establishing the context, the risk assessment objectives, risk criteria, and risk assessment programme are determined and agreed. For a specific risk assessment, establishing the context should include the definition of the external, internal and risk management context and classification of risk criteria: Risks can be assessed at an organizational level, at a departmental level, for projects, individual activities or specific risks.
Different tools and techniques may be appropriate in different contexts. Risk assessment provides an understanding of risks, their causes, consequences and their probabilities.
This provides input to decisions about: This is followed by a cyclical process of reassessing the new level of risk, with a view to determining its tolerability against the criteria previously set, in order to decide whether further treatment is required. Accountability for monitoring and performing reviews should be established. This provides a basis for decisions about the most appropriate approach to be used to treat the risks. The output of risk assessment is an input to the decision-making processes of the organization.
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation see Figure 1.
The manner in which this process is applied is dependent not only on the context of the risk management process but also on the methods and techniques used to carry out the risk assessment.
The purpose of risk identification is to identify what might happen or what situations might exist that might affect the achievement of the objectives of the system or organization. Once a risk is identified, the organization should identify any existing controls such as design features, people, processes and systems.
The risk identification process includes identifying the causes and source of the risk hazard in the context of physical harm , events, situations or circumstances which could have a material impact upon objectives and the nature of that impact Risk identification methods can include: Various supporting techniques can be used to improve accuracy and completeness in risk identification, including brainstorming, and Delphi methodology.
Irrespective of the actual techniques employed, it is important that due recognition is given to human and organizational factors when identifying risk.
It provides an input to risk assessment and to decisions about whether risks need to be treated and about the most appropriate treatment strategies and methods. Risk analysis consists of determining the consequences and their probabilities for identified risk events, taking into account the presence or not and the effectiveness of any existing controls.
The consequences and their probabilities are then combined to determine a level of risk. Risk analysis involves consideration of the causes and sources of risk, their consequences and the probability that those consequences can occur.
Factors that affect consequences and probability should be identified. An event can have multiple consequences and can affect multiple objectives. Existing risk controls and their effectiveness should be taken into account.
Various methods for these analyses are described in Annex B.
More than one technique may be required for complex applications. Risk analysis normally includes an estimation of the range of potential consequences that might arise from an event, situation or circumstance, and their associated probabilities, in order to measure the level of risk.
However in some instances, such as where the consequences are likely to be insignificant, or the probability is expected to be extremely low, a single parameter estimate may be sufficient for a decision to be made In some circumstances, a consequence can occur as a result of a range of different events or conditions, or where the specific event is not identified.
In this case, the focus of risk assessment is on analysing the importance and vulnerability of components of the system with a view to defining treatments which relate to levels of protection or recovery strategies.
Methods used in analysing risks can be qualitative, semi-quantitative or quantitative. The degree of detail required will depend upon the particular application, the availability of reliable data and the decision-making needs of the organization.
Some methods and the degree of detail of the analysis may be prescribed by legislation. Semi-quantitative methods use numerical rating scales for consequence and probability and combine them to produce a level of risk using a formula. Scales may be linear or logarithmic, or have some other relationship; formulae used can also vary. Quantitative analysis estimates practical values for consequences and their probabilities, and produces values of the level of risk in specific units defined when developing the context.
Full quantitative analysis may not always be possible or desirable due to insufficient information about the system or activity being analysed, lack of data, influence of human factors, etc. In such circumstances, a comparative semi-quantitative or qualitative ranking of risks by specialists, knowledgeable in their respective field, may still be effective. In cases where the analysis is qualitative, there should be a clear explanation of all the terms employed and the basis for all criteria should be recorded.
Even where full quantification has been carried out, it needs to be recognized that the levels of risk calculated are estimates. Care should be taken to ensure that they are not attributed a level of accuracy and precision inconsistent with the accuracy of the data and methods employed. In some instances, the magnitude of a risk can be expressed as a probability distribution over a range of consequences. Questions to be addressed include: These questions can only be answered with confidence if there are proper documentation and assurance processes in place.
The level of effectiveness for a particular control, or suite of related controls, may be expressed qualitatively, semi-quantitatively or quantitatively. In most cases, a high level of accuracy is not warranted. However, it may be valuable to express and record a measure of risk control effectiveness so that judgments can be made on whether effort is best expended in improving a control or providing a different risk treatment.
An event may have a range of impacts of different magnitudes, and affect a range of different objectives and different stakeholders. The types of consequence to be analysed and the stakeholders affected will have been decided when the context was established. Consequence analysis can vary from a simple description of outcomes to detailed quantitative modelling or vulnerability analysis.
Impacts may have a low consequence but high probability, or a high consequence and low probability, or some intermediate outcome.
In some cases, it is appropriate to focus on risks with potentially very large outcomes, as these are often of greatest concern to managers.
In other cases, it may be important to analyse both high and low consequence risks separately. For example, a frequent but low-impact or chronic problem may have large cumulative or long-term effects. In addition, the treatment actions for dealing with these two distinct kinds of risks are often quite different, so it is useful to analyse them separately.
Consequence analysis can involve: The data used should be relevant to the type of system, facility, organization or activity being considered and also to the operational standards of the organization involved. If historically there is a very low frequency of occurrence, then any estimate of probability will be very uncertain.
This applies especially for zero occurrences, when one cannot assume the event, situation or circumstance will not occur in the future. When historical data are unavailable or inadequate, it is necessary to derive probability by analysis of the system, activity, equipment or organization and its associated failure or success states. Numerical data for equipment, humans, organizations and systems from operational experience, or published data sources are then combined to produce an estimate of the probability of the top event.
When using predictive techniques, it is important to ensure that due allowance has been made in the analysis for the possibility of common mode failures involving the co- incidental failure of a number of different parts or components within the system arising from the same cause. Simulation techniques may be required to generate probability of equipment and structural failures due to ageing and other degradation processes, by calculating the effects of uncertainties. Expert judgements should draw upon all relevant available information including historical, system-specific, organizational-specific, experimental, design, etc.
There are a number of formal methods for eliciting expert judgement which provide an aid to the formulation of appropriate questions.
The methods available include the Delphi approach, paired comparisons, category rating and absolute probability judgements. The purpose is to ensure that resources will be focussed on the most important risks. Care should be taken not to screen out low risks which occur frequently and have a significant cumulative effect Screening should be based on criteria defined in the context. The preliminary analysis determines one or more of the following courses of action: The initial assumptions and results should be documented.
An understanding of uncertainties is necessary to interpret and communicate risk analysis results effectively. The analysis of uncertainties associated with data, methods and models used to identify and analyse risk plays an important part in their application. Uncertainty analysis involves the determination of the variation or imprecision in the results, resulting from the collective variation in the parameters and assumptions used to define the results.
An area closely related to uncertainty analysis is sensitivity analysis. Sensitivity analysis involves the determination of the size and significance of the magnitude of risk to changes in individual input parameters.
It is used to identify those data which need to be accurate, and those which are less sensitive and hence have less effect upon overall accuracy. The completeness and accuracy of the risk analysis should be stated as fully as possible.
Sources of uncertainty should be identified where possible and should address both data and Parameters to which the analysis is sensitive and the degree of sensitivity should be stated. Risk evaluation uses the understanding of risk obtained during risk analysis to make decisions about future actions. Ethical, legal, financial and other considerations, including perceptions of risk, are also inputs to the decision.
Decisions may include: The nature of the decisions that need to be made and the criteria which will be used to make those decisions were decided when establishing the context but they need to be revisited in more detail at this stage now that more is known about the particular risks identified. The simplest framework for defining risk criteria is a single level which divides risks that need treatment from those which do not.
This gives attractively simple results but does not reflect the uncertainties involved both in estimating risks and in defining the boundary between those that need treatment and those that do not. The decision about whether and how to treat the risk may depend on the costs and benefits of taking the risk and the costs and benefits of implementing improved controls. A common approach is to divide risks into three bands: Risks should be expressed in understandable terms, and the units in which the level of risk is expressed should be clear.
The extent of the report will depend on the objectives and scope of the assessment. Except for very simple assessments, the documentation can include: If the risk assessment supports a continuing risk management process, it should be performed and documented in such a way that it can be maintained throughout the life cycle of the system, organization, equipment or activity.
The assessment should be updated as significant new information becomes available and the context changes, in accordance with the needs of the management process.
These factors should be specifically identified for on-going monitoring and review, so that the risk assessment can be updated when necessary. Data to be monitored in order to refine the risk assessment should also be identified and collected.
The effectiveness of controls should also be monitored and documented in order to provide data for use in risk analysis. Accountabilities for creation and reviewing the evidence and documentation should be defined. Risk assessment can be applied at all stages of the life cycle and is usually applied many times with different levels of detail to assist in the decisions that need to be made at each phase.
Life cycles phases have different requirements and need different techniques For example, during the concept and definition phase, when an opportunity is identified, risk assessment may be used to decide whether to proceed or not. Where several options are available risk assessment can be used to evaluate alternative concepts to help decide which provides the best balance of positive and negative risks. As the activity proceeds, risk assessment can be used to provide information to assist in developing procedures for normal and emergency conditions.
The annexes list and further explain a range of tools and techniques that can be used to perform a risk assessment or to assist with the risk assessment process. It may sometimes be necessary to employ more than one method of assessment. The form of assessment and its output should be consistent with the risk criteria developed as part of establishing the context. Annex A illustrates the conceptual relationship between the broad categories of risk assessment techniques and the factors present in a given risk situation, and provides illustrative examples of how organizations can select the appropriate risk assessment techniques for a particular situation.
In general terms, suitable techniques should exhibit the following characteristics: The reasons for the choice of techniques should be given, with regard to relevance and suitability. When integrating the results from different studies, the techniques used and outputs should be comparable. Once the decision has been made to perform a risk assessment and the objectives and scope have been defined, the techniques should be selected, based on applicable factors such as: The objectives of the risk assessment will have a direct bearing on the techniques used.
A simple method, well done, may provide better results than a more sophisticated procedure poorly done, so long as it meets the objectives and scope of the assessment. Ordinarily, the effort put into the assessment should be consistent with the potential level of risk being analysed; Various factors influence the selection of an approach to risk assessment such as the availability of resources, the nature and degree of uncertainty in the data and information available, and the complexity of the application see Table A.
This includes the extent to which sufficient information about the risk, its sources and causes, and its consequences to the achievement of objectives is available.
Uncertainty can stem from poor data quality or the lack of essential and reliable data. To illustrate, data collection methods may change, the way organizations use such methods may change or the organization may not have an effective collection method in place at all, for collecting data about the identified risk.