...
- Mapping of information assets. Value assessment. Business Impact assessment
- Identify existing safeguards and control measures
- Identifcation of risk elements
- Assessment of risk level (consequence and probability)
- Controls in relation to risk elements
- Categorization and prioritization of controls
- Approval of controls
- Risk treatment. Implementation and follow-up of controls
...
List of possible participants in a risk assessment workshop:
- Management (defining risk appetite)
- Information Security Manager/Officer
- Risk owners / Asset owners
- Risk assesment facilitator
Risk treatment and residual risk
Description of process
Risk treatment plan
- A description of the risk to be reduced and controls to implement .
- Rational for the choice of controls and expected effects
- Responsible for approving the plan
- Responsible for implementing the comtrols
- Activities related to implementation
- Target and performance criteria and delimitations in relation to the comtrols
- Reporting and monitoring requirements
- Plan and timeframes
Risk areas
- The organization's ownership of ICT
- Information security policy and guidelines
- Organization of information security
- Resources
- Expertise, skills and safety culture
- Employee safety
- Architecture
- Work processes
- Roles and responsibilities
- Establishment and maintenance of portfolio
- Innovation
- Decision-making by ICT investments
- Acquisition, development and maintenance of ICT systems / services
- Quality assurance
- Supplier relations
- Handling of information assets
- Access control
- Operation and management
- Infrastructure
- Software
- Data communication security
- Cryptography
- Malware and logical attacks
- Social engineering
- Theft or destruction
- Disloyal employees
- Physical and environmental areas
- Geopolitical conditions
- Handling of information security incidents
- Continuity plans
- Compliance with laws, rules and agreements
- Communication
Tools/Aids
- White paper on risk management
- Risk assessment spreadsheet
- WISE - Risk Management Template
- Examples of likelihood (Probability)
- Examples of impact (consequences)
- Overview of risk areas
- Risk inventory