Search in ISMS Guides


Thursday, August 16, 2007

Risk Assessment

ISO/IEC 17799 and ISO/IEC27001 are predicated on risk assessment. You cannot escape this - it is one of the working documents required for certification. Moreover, the SOA is "based on the results and conclusions of the risk assessment and risk treatment process" and, thus, the risk assessment must be relevant to the SOA. It must also be relevant to your business, else the ISO/IEC 17799 controls that you adopt will not! Not sure how to start...

Your response - ask Gamma to help you perform your risk assessment

We will help you to perform your risk assessment and teach you how to do it at the same time, so that you can make the risk management decisions and maintain the risk assessment in the future. We will also ensure that we identify the significant business risks, particularly those concerned with the business applications and not just the usual risks concerned with IT platforms and networks. This is especially important from a corporate governance perspective.

There are a variety of risk assessment tools that we can use (e.g. we have used CRAMM, Expert, RA and Riskwatch) or we can perform the assessment manually. Whichever way you feel more comfortable with, the basic steps will help you to:

  • identify your assets and who is ultimately responsible for their security
  • identify the threats to those assets and how they make go about attacking them
  • identify the security relevant events that concern you and the impacts to your business that might then arise
  • determine, for each possible event/impact pair within the context of existing controls the risk that the security of the associated assets might be compromised by the applicable threats

You then determine whether that risk is acceptable to you or not. If it is it, we note that fact and move on to the next event/impact pair. If not, we will help you to identify how the risk is to be treated so that the residual risk is acceptable to you. We will document the risk assessment and risk treatment process in a form that is appropriate to your business so that you can maintain it in the future.

Gamma(ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company)

No comments: