ISO 27001 Clause 6.1.2 Information security risk assessment process | Infosavvy
Required activity
The organization defines and applies an information security risk assessment process.
Explanation
The organization defines an information security risk assessment process that:
- Establishes and maintains;
- The Risk acceptance criteria;
- Criteria for performing information security risk assessments, which may include criteria for assessing the consequence and likelihood, and rules for the determination of the extent of risk;
- Ensures that repeated information security risk assessments produce consistent, valid and comparable results.
The information security risk assessment process is then defined along the subsequent sub-processes:
Identification of data security risks:
- Identify risks related to the loss of confidentiality, integrity and availability for information within the scope of the ISMS;
- Identify the Risk owners related to these risks, i.e. identify and appoint persons with the acceptable authority and responsibility for managing identified risks.
Analysis of the knowledge security risks:
- Assess the potential consequences just in case the identified risks materialize, e.g. direct business impacts like monetary loss or indirect business impacts like damage in reputation.
- Assessed consequences are often reported with quantitative or qualitative values;
- Assess the realistic likelihood of occurrence of the identified risks, with quantitative (i.e.probability or frequency) or qualitative values;
- Determine the amount of identified risk as a predefined combination of assessed consequences and assessed likelihoods;
Evaluation of the knowledge security risks:
- Compare the results of risk analysis with the Risk acceptance criteria established before;
- Prioritize the analysed risks for risk treatment, i.e. determine urgency of treatment for risks
That are considered as unacceptable, and sequence if several risks need treatment. - The information security risk assessment process is then applied.
- All steps of the knowledge security risk assessment process also because the results of its application are retained by the organization as documented information.
Implementation Guideline
The information security risk criteria should be established considering the context of the organization and requirements of interested parties and will be defined in accordance with top management’s risk preferences and risk perceptions on one hand and will leave a feasible and appropriate risk management process on the opposite hand. The information security risk criteria should be established in reference to the intended outcome(s) of the ISMS. The criteria concerning information security risk assessment that consider the assessment of likelihood and consequences should be established. Further, risk acceptance criteria should be established.
After establishing criteria for assessing consequences and likelihoods of data security risks, the organization should also establish a way for combining them so as to work out A level of risk. Consequences and likelihoods could also be expressed during a qualitative, quantitative or semi quantitative manner.
After establishing criteria for assessing consequences and likelihoods of data security risks, the organization should also establish a way for combining them so as to work out A level of risk. Consequences and likelihoods could also be expressed during a qualitative, quantitative or semi quantitative manner.
Continue reading- https://www.info-savvy.com/iso-27001-clause-6-1-2-information-security-risk-assessment-process/
--------------------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
ReplyDeleteشركة تنظيف موكيت بتبوك
شركة نظافة بتبوك
شركة نظافة منازل
نظافة عامة
شركات نظافة منازل
شركات تنظيف السيراميك بتبوك
شركات التنظيف بتبوك