Security Risk Management in complex organization

Security Risk Management is foundation and starting point for implementation of security measures in any organization and challenge by itself. But in complex organizations there are additional challenges, how to align IT Security Risk Management with overall Security Risk Management and later with the Company´s overall Risk Management. When organization is part of some international corporation, corporative rules also need to be followed in addition to legal and regulation rules. In telecom industry in regular operations also is very important that security assessment could be performed in short timeslot as support for operational decisions. Croatian Telecom as a part of Deutsche Telecom Group is facing all of this issues in addition to ISO 27001 requirements against which the Company is certified. To solve the challenge, the Company developed three methodologies for Information Security Risk Management. All of these methodologies are merged in common Risk Register as well as aligned with the Company´s Risk Management. In this paper each Information Security Risk Management methodology will be described including its application area, as well as how recognized security risks are shown in common Risk Register and how they relate to the Company´s Risk Management.