Database Reference
In-Depth Information
The risk assessment process
The following is a diagram of the information risk assessment process:
Identify threats
to confidentiality,
availability and
integrity
Identify
vulnerabilities
those threats
could exploit
Accesses the
likelihood of
those threats
occuring
Identify assets
within scope of
ISMS
Assesses the
impacts of those
threats
Evaluate the risk
Identify the systems and information assets that are critical to the achievement of the
organization's tasks and objectives, as well as the people who are responsible for the
protection of those assets.
Then identify what can go wrong or what can attack those assets. Next, determine
if the information assets are actually open to exploitation by the threats. If an
information asset is exploited by threat, the impact must be assessed. This is
generally done in qualitative terms, but can be monetized by evaluating the loss to
the enterprise of the information not being available. For example, if the customer
master is unavailable and orders cannot be entered for three days. The likelihood
from almost certain to highly unlikely must also be assessed before the risk level
can finally be calculated and added to the risk register.
The Risk Treatment Plan
For each risk in the risk registry, the enterprise needs to develop a risk treatment
plan. The enterprise may choose to pass the risk to another party through insurance
or other contractual means. The enterprise may choose to apply controls that will
reduce the likelihood and/or impact to acceptable levels. The management must
positively accept the residual risks they are accepting. The risk treatment plan
should also include a plan to address security incidents if a control should fail.
The Statement of Applicability
Appendix A of the ISO 27000 standard contains a set of controls arranged in control
areas and applicable control objectives. These are very generic controls that have wide
applicability and part of the process is to explain their application with the ISMS, or
explain why they were felt to not be applicable. The groupings are as follows:
• Clause A5 Security Policy
• Clause A6 Organizing Information Security
 
Search WWH ::




Custom Search