7 hours 52 minutes
Lesson 4.9 point two
Actions to address risks and opportunities
Close 6.1 point two Information Security risk assessment
in this video will cover the requirements of close 6.1 point two. With regards to risk management and assessment,
we'll go over the risk assessment process as per the requirements off ISO 27,001.
We'll also cover the mandatory documentation, as required by the 27,001 standard.
So we've already gone through how the risk management process generally works again. It's up to you to choose what works best for your organization
in these slides. We're going to cover the specifics that the stand and wants to see,
as mentioned earlier. This is one of the most important clauses in your whole life is a mess. And ensuring that you have planned, implemented and operated your risk management processes properly is a critical area to passing your certification audit
as well as having an ice miss that operates as it should.
There are a couple of important risk concepts that need to be established as part of this process.
your organization needs to define risk acceptance criteria.
This needs to be formally documented and formally approved by the relevant stakeholders in your organization.
It is not up thio
the ice, um s team to determine what the risk acceptance criteria for the organization should be.
Ideally, this would be set in your enterprise risk management framework and levels,
and you could just leverage off of this For your information security risk management,
you will need to establish criteria for determining likelihood and impact levels.
This means are you going to follow something like the old WASP
for determining likelihood and impact levels?
Will it be something subjective where you just choose an impact and likelihood level based on a scale
off 125 for example, with one being least likely five being most likely?
If your organization has an enterprise risk management framework,
those levels would generally be already defined.
An inch level would have
some sort of
guidance around what constitutes making something a level five verse to the level one.
If that is not established, that would need to be established, documented and used during a risk management process,
you would also need to establish rules for the determination of risk level.
This pertains to
what is your company's appetite with regards to accepting risks or not accepting risks as well as treating risks versus not treating risk?
To what level are you willing to spend money to treat a risk compared to the value of the asset that you are protecting?
Those are the rules and thinking around there.
If those rules on set out,
it can be very difficult to remain consistent in your risk assessment process.
Which leads us to the last point.
We need to ensure that the defined risk management process
can produce consistent
and repeatable results.
What you've done the first time, you must be able to repeat the second time and compare the results
here. Let's look at the specifics that the standard wants you to cover in your risk management process.
We have covered these in different ways in the previous lessons,
but because this close is so important, let's go over it once.
An important point to note here that we haven't yet covered is that the standard, once a defined risk owner for each of the risks,
it's quite easy for risks to never be addressed when they aren't anyone's problem.
Everyone in the organization has a role to play with. Regards to information security risk management.
This is one of the ways in which you can foster the collaboration and inclusion that makes a nice mess. So great.
Assigning risk owners gives a person direct control and accountability for a risk.
They will generally ensured that the required actions are carried out.
This they be called out during the next chicken for not having done anything
for the identification of your risks.
The standard and specifically, once you identify
risks associated with the loss off confidentiality, integrity or availability off information in your eyes the scope.
It is important to consider those factors somewhere and make sure it's evident, especially if you're going a certification audit
during the analysis.
Make sure that you consider the direct and possible indirect impacts
is This could
affect your risk treatment options and ships Decisions.
would also have you look at the likelihood
of an incident occurring
and determining the level of risk,
which is your likelihood multiplied by impact
during the evaluation phase.
The standard requires that you compare analysis results
with your risk acceptance and tolerance criteria.
You need to prioritize risks for treatment
and indicate if the treatment option chosen will address likelihood, impact or both.
We'll get into the risk treatment options a bit
But essentially your treatment
will either reduce the likelihood of a risk ever occurring
by taking away the
possibilities for it to occur. Or it would lessen the impact if the risk does occur.
There are also instances where it could address both impact and likelihood.
What is the mandatory documentation required by the 27,001 Standard four. Clause 6.1 point two
Having documented information is not just to tick boxes for the audit
when you are ordered to. Please don't have a check box mentality as any good, orderto will be able to see right through that.
A lot of what counts towards your favorite during an audit specifically for certification now
is when the order to concede that you understand the concepts required and have the culture in place to support and maintain these processes.
So there are a number of mandatory documents that you need to have.
Your risk assessment procedure document should spell out everything regarding the risk assessment and management process.
This document is quite important as It will serve as a guide to those in your organization that need to participate in the risk management process,
but they don't have all the information at the top of their head.
Most people will know some risk management basics, but there are additional considerations to factor in for information security risk assessments.
Generally, your initial risk assessment will be done during close six. After your initial planning is complete,
your subsequent risk assessments performed during the period would be considered as part of close aides of your items
where your risk assessments are implemented and maintained
so the documentation that you would require
we've already mentioned your risk assessment procedure document.
It must specifically specify how your organization identifies, analyzes and evaluates risks.
The ways in which likelihood and impact is determined must be specified, for example, the scales that you use,
what your risk symptoms criteria all
and break down the levels of risks
and how those would be prioritized.
For example, a level five risk would be prioritized over level three risk. Because of reasons X, Y and Z,
you would also produce the risk rages, stuff
and supporting information.
Your risk register would contain all of the risks that you have identified, as well as all of the work that has gone into
analyzing and identifying and prioritizing.
You would also probably have some meeting minutes of your risk workshops.
You would have identified risk owners. The easiest place to put
thes is in your risk register
evidence that the process is structured and repeatable,
and the define frequency at which your risk assessments will be performed
in this lesson recovered the risk management process
and the specific steps required by the 27,001 standard.
We also covered the risk acceptance criteria and tolerance levels and why this is important.
Lastly, we looked at the mandatory documentation that is required to support this activity.