ISO/IEC 17799 and ISO/IEC27001 are predicated on risk assessment. You cannot escape this - it is one of the working documents required for certification. Moreover, the SOA is "based on the results and conclusions of the risk assessment and risk treatment process" and, thus, the risk assessment must be relevant to the SOA. It must also be relevant to your business, else the ISO/IEC 17799 controls that you adopt will not! Not sure how to start...
Your response - ask Gamma to help you perform your risk assessment
We will help you to perform your risk assessment and teach you how to do it at the same time, so that you can make the risk management decisions and maintain the risk assessment in the future. We will also ensure that we identify the significant business risks, particularly those concerned with the business applications and not just the usual risks concerned with IT platforms and networks. This is especially important from a corporate governance perspective.
There are a variety of risk assessment tools that we can use (e.g. we have used CRAMM, Expert, RA and Riskwatch) or we can perform the assessment manually. Whichever way you feel more comfortable with, the basic steps will help you to:
|
| |
| ||
| ||
|
You then determine whether that risk is acceptable to you or not. If it is it, we note that fact and move on to the next event/impact pair. If not, we will help you to identify how the risk is to be treated so that the residual risk is acceptable to you. We will document the risk assessment and risk treatment process in a form that is appropriate to your business so that you can maintain it in the future.
No comments:
Post a Comment