In my experience, companies are usually aware of only 30% of their risks. Once you know the rules, you can start finding out which potential problems could happen to you – you need to list all your assets, then threats and vulnerabilities related to those assets, assess the impact and likelihood for each combination of assets/threats/vulnerabilities, and finally calculate the level of risk. Therefore, you need to define whether you want qualitative or quantitative risk assessment, which scales you will use for qualitative assessment, what the acceptable level of risk will be, etc. You need to define the rules for how you are going to perform the risk management, because you want your whole organization to do it the same way – the biggest problem with risk assessment happens if different parts of the organization perform it in different ways. This is the first step on your voyage through risk management in ISO 27001. These six basic steps will shed light on what you have to do: 1) ISO 27001 risk assessment methodology ISO 27001 risk assessment & treatment – six main stepsĪlthough risk management in ISO 27001 is a complex job, it is very often unnecessarily mystified. The purpose of risk treatment is to find out which security controls (i.e., safeguards) are needed in order to avoid those potential incidents – selection of controls is called the risk treatment process, and in ISO 27001 they are chosen from Annex A, which specifies 114 controls. Plainly speaking, the organization should recognize all the potential problems with their information, how likely they are to occur, and what the consequences might be. What actually are risk assessment and treatment, and what is their purpose? Risk assessment is a process during which an organization should identify information security risks and determine their likelihood and impact. Risk management consists of two main elements: risk assessment (often called risk analysis) and risk treatment. Risk management is probably the most complex part of ISO 27001 implementation but, at the same time, it is the most important step at the beginning of your information security project – it sets the foundations for information security in your company. Risk management What is risk management, and why is it important?
0 Comments
Leave a Reply. |