Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SIG-ISM has published a white paper on risk management.

A reference to ISO 27001 chapter 5. leadership should be added her, specifically detailing how the organization addresses risk responsibilities and residual risks.


ISO 27000 definitions

The most common used in the risk assessment process


Roles and responsibilities

  • Risk owner
  • Risk assessment facilitator
  • ++


Risk assessment process

The risk assessment process can be divided into the following activities:

  1. Mapping of information assets. Value assessment. Business Impact assessment
  2. Identify existing safeguards
  3. Identifcation of risk elements
  4. Assessment of risk level (consequence and probability)
  5. Controls in relation to risk elements
  6. Categorization and prioritization of controls
  7. Approval of controls
  8. Risk treatment. Implementation and follow-up of controls

Activity 2 to 5 is usually done in a risk assessment workshop.


Participants

List of possible participants in a risk assessment workshop


Risk treatment and residual risk

Description of process


Tools/Aids

  • Risk assessment spreadsheet
  • Examples of likelihood (Probability)
  • Examples of impact (consequences)
  • Overview of risk areas
  • Risk inventory