Search in ISMS Guides


Tuesday, July 24, 2007

1. Risk assessment and treatment (ISO)

Assessing security risks

This security category's objective is toidentify, quantify and prioritize risks against criteria for risk assessment and objectives relevant to the organization.

Security risk assessment • Risk assessments should be performed, and updated at appropriate intervals, for all information systems. Control includes:

  • systematic methods of assessing risks (threats and vulnerabilities);
  • systematic methods of comparing assessed risks against risk criteria;
  • periodic re-assessments to address changes in security requirements and/or in the risk environment; and
  • clearly defined scope, including specification of the system(s) assessed, the means of assessment employed, and relationships with other risk assessments if appropriate.

Authorities: ISO-27002:2005 4.1.; HIPAA 164.308(a)(1)(ii)(A); PCI-DSS:2005 12.1.2.

Treating security risks

This category aims to appropriately mitigate risk in light of organizational objectives and risk criteria.

Security risk treatment • Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate administrative, technical and physical controls. Control includes:

  • applying appropriate controls to avoid, eliminate or reduce risks;
  • transferring some risks to third parties as appropriate (e.g., by insurance);
  • knowingly and objectively accepting some risks; and
  • documenting the risk treatment choices made, and the reasons for them.

Risk treatments should take account of:

  • legal-regulatory and private certificatory requirements;
  • organizational objectives, operational requirements and constraints; and
  • costs of implementation and operation relative to risks being reduced.

Authorities: ISO-27002:2005 4.2.; HIPAA 164.308(a)(1)(ii)(B); PCI-DSS:2005 12.1.3

Article By

No comments: