Actions to Address Risks and Opportunities Part 2

00:01

Lesson 4.9 point two

00:04

Actions to address risks and opportunities

00:07

Close 6.1 point two Information Security risk assessment

00:14

in this video will cover the requirements of close 6.1 point two. With regards to risk management and assessment,

00:21

we'll go over the risk assessment process as per the requirements off ISO 27,001.

00:29

We'll also cover the mandatory documentation, as required by the 27,001 standard.

00:39

So we've already gone through how the risk management process generally works again. It's up to you to choose what works best for your organization

00:47

in these slides. We're going to cover the specifics that the stand and wants to see,

00:53

as mentioned earlier. This is one of the most important clauses in your whole life is a mess. And ensuring that you have planned, implemented and operated your risk management processes properly is a critical area to passing your certification audit

01:07

as well as having an ice miss that operates as it should.

01:12

There are a couple of important risk concepts that need to be established as part of this process.

01:19

For example,

01:19

your organization needs to define risk acceptance criteria.

01:25

This needs to be formally documented and formally approved by the relevant stakeholders in your organization.

01:32

It is not up thio

01:34

the ice, um s team to determine what the risk acceptance criteria for the organization should be.

01:42

Ideally, this would be set in your enterprise risk management framework and levels,

01:47

and you could just leverage off of this For your information security risk management,

01:53

you will need to establish criteria for determining likelihood and impact levels.

02:00

This means are you going to follow something like the old WASP

02:04

methodology

02:05

for determining likelihood and impact levels?

02:07

Will it be something subjective where you just choose an impact and likelihood level based on a scale

02:15

off 125 for example, with one being least likely five being most likely?

02:22

If your organization has an enterprise risk management framework,

02:25

those levels would generally be already defined.

02:30

An inch level would have

02:30

some sort of

02:32

guidance around what constitutes making something a level five verse to the level one.

02:39

If that is not established, that would need to be established, documented and used during a risk management process,

02:47

you would also need to establish rules for the determination of risk level.

02:53

This pertains to

02:55

what is your company's appetite with regards to accepting risks or not accepting risks as well as treating risks versus not treating risk?

03:07

To what level are you willing to spend money to treat a risk compared to the value of the asset that you are protecting?

03:15

Those are the rules and thinking around there.

03:17

If those rules on set out,

03:21

it can be very difficult to remain consistent in your risk assessment process.

03:28

Which leads us to the last point.

03:30

We need to ensure that the defined risk management process

03:35

can produce consistent

03:37

salad

03:38

and repeatable results.

03:39

What you've done the first time, you must be able to repeat the second time and compare the results

03:52

here. Let's look at the specifics that the standard wants you to cover in your risk management process.

03:58

We have covered these in different ways in the previous lessons,

04:00

but because this close is so important, let's go over it once.

04:05

An important point to note here that we haven't yet covered is that the standard, once a defined risk owner for each of the risks,

04:14

it's quite easy for risks to never be addressed when they aren't anyone's problem.

04:19

Everyone in the organization has a role to play with. Regards to information security risk management.

04:26

This is one of the ways in which you can foster the collaboration and inclusion that makes a nice mess. So great.

04:32

Assigning risk owners gives a person direct control and accountability for a risk.

04:39

They will generally ensured that the required actions are carried out.

04:42

This they be called out during the next chicken for not having done anything

04:48

for the identification of your risks.

04:51

The standard and specifically, once you identify

04:56

risks associated with the loss off confidentiality, integrity or availability off information in your eyes the scope.

05:05

It is important to consider those factors somewhere and make sure it's evident, especially if you're going a certification audit

05:15

during the analysis.

05:17

Make sure that you consider the direct and possible indirect impacts

05:21

is This could

05:24

affect your risk treatment options and ships Decisions.

05:30

Analysis phase

05:31

would also have you look at the likelihood

05:34

of an incident occurring

05:38

and determining the level of risk,

05:40

which is your likelihood multiplied by impact

05:45

during the evaluation phase.

05:47

The standard requires that you compare analysis results

05:50

with your risk acceptance and tolerance criteria.

05:55

You need to prioritize risks for treatment

05:59

and indicate if the treatment option chosen will address likelihood, impact or both.

06:06

We'll get into the risk treatment options a bit

06:10

later on.

06:11

But essentially your treatment

06:13

will either reduce the likelihood of a risk ever occurring

06:16

by taking away the

06:18

possibilities for it to occur. Or it would lessen the impact if the risk does occur.

06:25

There are also instances where it could address both impact and likelihood.

06:35

What is the mandatory documentation required by the 27,001 Standard four. Clause 6.1 point two

06:45

Having documented information is not just to tick boxes for the audit

06:49

when you are ordered to. Please don't have a check box mentality as any good, orderto will be able to see right through that.

06:57

A lot of what counts towards your favorite during an audit specifically for certification now

07:01

is when the order to concede that you understand the concepts required and have the culture in place to support and maintain these processes.

07:10

So there are a number of mandatory documents that you need to have.

07:14

Your risk assessment procedure document should spell out everything regarding the risk assessment and management process.

07:20

This document is quite important as It will serve as a guide to those in your organization that need to participate in the risk management process,

07:28

but they don't have all the information at the top of their head.

07:31

Most people will know some risk management basics, but there are additional considerations to factor in for information security risk assessments.

07:40

Generally, your initial risk assessment will be done during close six. After your initial planning is complete,

07:47

your subsequent risk assessments performed during the period would be considered as part of close aides of your items

07:54

where your risk assessments are implemented and maintained

07:57

repeated

08:01

so the documentation that you would require

08:05

we've already mentioned your risk assessment procedure document.

08:09

It must specifically specify how your organization identifies, analyzes and evaluates risks.

08:16

The ways in which likelihood and impact is determined must be specified, for example, the scales that you use,

08:22

what your risk symptoms criteria all

08:26

and break down the levels of risks

08:28

and how those would be prioritized.

08:31

For example, a level five risk would be prioritized over level three risk. Because of reasons X, Y and Z,

08:39

you would also produce the risk rages, stuff

08:41

and supporting information.

08:43

Your risk register would contain all of the risks that you have identified, as well as all of the work that has gone into

08:50

analyzing and identifying and prioritizing.

08:52

You would also probably have some meeting minutes of your risk workshops.

08:58

You would have identified risk owners. The easiest place to put

09:01

thes is in your risk register

09:05

evidence that the process is structured and repeatable,

09:09

and the define frequency at which your risk assessments will be performed

09:20

in this lesson recovered the risk management process

09:24

and the specific steps required by the 27,001 standard.

09:30

We also covered the risk acceptance criteria and tolerance levels and why this is important.