Actions to Address Risks and Opportunities Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Lesson 4.9 point two
00:04
Actions to address risks and opportunities
00:07
Close 6.1 point two Information Security risk assessment
00:14
in this video will cover the requirements of close 6.1 point two. With regards to risk management and assessment,
00:21
we'll go over the risk assessment process as per the requirements off ISO 27,001.
00:29
We'll also cover the mandatory documentation, as required by the 27,001 standard.
00:39
So we've already gone through how the risk management process generally works again. It's up to you to choose what works best for your organization
00:47
in these slides. We're going to cover the specifics that the stand and wants to see,
00:53
as mentioned earlier. This is one of the most important clauses in your whole life is a mess. And ensuring that you have planned, implemented and operated your risk management processes properly is a critical area to passing your certification audit
01:07
as well as having an ice miss that operates as it should.
01:12
There are a couple of important risk concepts that need to be established as part of this process.
01:19
For example,
01:19
your organization needs to define risk acceptance criteria.
01:25
This needs to be formally documented and formally approved by the relevant stakeholders in your organization.
01:32
It is not up thio
01:34
the ice, um s team to determine what the risk acceptance criteria for the organization should be.
01:42
Ideally, this would be set in your enterprise risk management framework and levels,
01:47
and you could just leverage off of this For your information security risk management,
01:53
you will need to establish criteria for determining likelihood and impact levels.
02:00
This means are you going to follow something like the old WASP
02:04
methodology
02:05
for determining likelihood and impact levels?
02:07
Will it be something subjective where you just choose an impact and likelihood level based on a scale
02:15
off 125 for example, with one being least likely five being most likely?
02:22
If your organization has an enterprise risk management framework,
02:25
those levels would generally be already defined.
02:30
An inch level would have
02:30
some sort of
02:32
guidance around what constitutes making something a level five verse to the level one.
02:39
If that is not established, that would need to be established, documented and used during a risk management process,
02:47
you would also need to establish rules for the determination of risk level.
02:53
This pertains to
02:55
what is your company's appetite with regards to accepting risks or not accepting risks as well as treating risks versus not treating risk?
03:07
To what level are you willing to spend money to treat a risk compared to the value of the asset that you are protecting?
03:15
Those are the rules and thinking around there.
03:17
If those rules on set out,
03:21
it can be very difficult to remain consistent in your risk assessment process.
03:28
Which leads us to the last point.
03:30
We need to ensure that the defined risk management process
03:35
can produce consistent
03:37
salad
03:38
and repeatable results.
03:39
What you've done the first time, you must be able to repeat the second time and compare the results
03:52
here. Let's look at the specifics that the standard wants you to cover in your risk management process.
03:58
We have covered these in different ways in the previous lessons,
04:00
but because this close is so important, let's go over it once.
04:05
An important point to note here that we haven't yet covered is that the standard, once a defined risk owner for each of the risks,
04:14
it's quite easy for risks to never be addressed when they aren't anyone's problem.
04:19
Everyone in the organization has a role to play with. Regards to information security risk management.
04:26
This is one of the ways in which you can foster the collaboration and inclusion that makes a nice mess. So great.
04:32
Assigning risk owners gives a person direct control and accountability for a risk.
04:39
They will generally ensured that the required actions are carried out.
04:42
This they be called out during the next chicken for not having done anything
04:48
for the identification of your risks.
04:51
The standard and specifically, once you identify
04:56
risks associated with the loss off confidentiality, integrity or availability off information in your eyes the scope.
05:05
It is important to consider those factors somewhere and make sure it's evident, especially if you're going a certification audit
05:15
during the analysis.
05:17
Make sure that you consider the direct and possible indirect impacts
05:21
is This could
05:24
affect your risk treatment options and ships Decisions.
05:30
Analysis phase
05:31
would also have you look at the likelihood
05:34
of an incident occurring
05:38
and determining the level of risk,
05:40
which is your likelihood multiplied by impact
05:45
during the evaluation phase.
05:47
The standard requires that you compare analysis results
05:50
with your risk acceptance and tolerance criteria.
05:55
You need to prioritize risks for treatment
05:59
and indicate if the treatment option chosen will address likelihood, impact or both.
06:06
We'll get into the risk treatment options a bit
06:10
later on.
06:11
But essentially your treatment
06:13
will either reduce the likelihood of a risk ever occurring
06:16
by taking away the
06:18
possibilities for it to occur. Or it would lessen the impact if the risk does occur.
06:25
There are also instances where it could address both impact and likelihood.
06:35
What is the mandatory documentation required by the 27,001 Standard four. Clause 6.1 point two
06:45
Having documented information is not just to tick boxes for the audit
06:49
when you are ordered to. Please don't have a check box mentality as any good, orderto will be able to see right through that.
06:57
A lot of what counts towards your favorite during an audit specifically for certification now
07:01
is when the order to concede that you understand the concepts required and have the culture in place to support and maintain these processes.
07:10
So there are a number of mandatory documents that you need to have.
07:14
Your risk assessment procedure document should spell out everything regarding the risk assessment and management process.
07:20
This document is quite important as It will serve as a guide to those in your organization that need to participate in the risk management process,
07:28
but they don't have all the information at the top of their head.
07:31
Most people will know some risk management basics, but there are additional considerations to factor in for information security risk assessments.
07:40
Generally, your initial risk assessment will be done during close six. After your initial planning is complete,
07:47
your subsequent risk assessments performed during the period would be considered as part of close aides of your items
07:54
where your risk assessments are implemented and maintained
07:57
repeated
08:01
so the documentation that you would require
08:05
we've already mentioned your risk assessment procedure document.
08:09
It must specifically specify how your organization identifies, analyzes and evaluates risks.
08:16
The ways in which likelihood and impact is determined must be specified, for example, the scales that you use,
08:22
what your risk symptoms criteria all
08:26
and break down the levels of risks
08:28
and how those would be prioritized.
08:31
For example, a level five risk would be prioritized over level three risk. Because of reasons X, Y and Z,
08:39
you would also produce the risk rages, stuff
08:41
and supporting information.
08:43
Your risk register would contain all of the risks that you have identified, as well as all of the work that has gone into
08:50
analyzing and identifying and prioritizing.
08:52
You would also probably have some meeting minutes of your risk workshops.
08:58
You would have identified risk owners. The easiest place to put
09:01
thes is in your risk register
09:05
evidence that the process is structured and repeatable,
09:09
and the define frequency at which your risk assessments will be performed
09:20
in this lesson recovered the risk management process
09:24
and the specific steps required by the 27,001 standard.
09:30
We also covered the risk acceptance criteria and tolerance levels and why this is important.
09:37
Lastly, we looked at the mandatory documentation that is required to support this activity.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By