Information Security Risk Assessment

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
Listen 6.2
00:04
Information Security Risk assessment.
00:09
In this video, we will cover the Clause 8.2 requirements,
00:14
and we will also take a look at how
00:17
Clause 8.2
00:18
is different to close 6.2.
00:27
So this clause 8.2
00:30
performing information security risk assessments
00:33
It's quite easy, and there is not a lot of active work that needs to go into this. Besides, of course, doing the actual risk assessment, which can be quite intense.
00:44
How you go about doing your risk assessment is generally set out in Clause six.
00:50
The trick here
00:52
during 48.2,
00:54
is to ensure that you perform regular risk assessments
00:58
and that you are reassessing your completed risk treatment activities
01:03
and feeding these back into your risk assessment processes
01:07
and your statement of applicability.
01:10
There should be a defined frequency for performing risk assessments,
01:14
whether it be quarterly monthly. Whatever the case is,
01:19
it is also important that risks from any changes
01:25
our assist and fit into the risk management process
01:30
when you are audited,
01:30
especially during your eyes. So 27,001 certification audits
01:37
the auditors were generally want to see evidence
01:40
that you have performed your risk assessments as per your defined frequency.
01:45
This is especially true if you're running a more mature SMS,
01:53
so to summarize some of the key points,
01:57
the execution of your risk assessment process
02:00
must be performed. As per your defined frequency,
02:06
you would also they need to consider changes to your environment organization
02:10
or the ice miss itself
02:13
and any other change that may require an additional risk assessment
02:17
or service input into your existing risk assessments.
02:23
This is especially true for unplanned changes,
02:25
as was covered in this in 6.1.
02:30
The level of detail in your risk assessments performed can become greater with each iteration that is performed.
02:37
Generally, you would start at a high level and end up going into a lot more detail for each iteration performed.
02:51
For your documented information,
02:53
it should be easy to show documented information
02:57
as you will have your risk register
02:59
meeting minutes off the risk assessment workshops,
03:01
communication on the results to relevant parties
03:06
and so forth.
03:07
The key here is to demonstrate that you have performed these assessments
03:12
as per your defined frequency,
03:15
so you must be able to show that there have been multiple assessments
03:20
and if there were any differences between the assessments,
03:23
which generally there would be
03:25
as your risk level should come down when new risks would be identified,
03:31
They would also be documentation related to your risk treatment activities
03:37
and where treatment activities have been completed.
03:39
You would expect your risk level to drop.
03:43
This is especially true in areas where controls are successfully implemented and effective
03:49
as this would provide a greater level of mitigation against your identified risk.
03:55
Another piece of documentation
03:58
would be your attendance register from risk workshops.
04:03
It is always handy to maintain an attendance register
04:06
as this can easily show the stakeholders that were involved in the risk assessment workshops,
04:12
especially of top management, has been involved.
04:15
This attendance register would also service evidence for a number of different causes,
04:21
including demonstrating top management commitment
04:30
to summarize.
04:31
In this lesson, we covered the re performance of a risk assessment
04:36
and that generally risk assessments are done as per your defined frequency intervals.
04:44
Auditors can choose toe ordered both clause six and eight at the same time for efficiency purposes,
04:51
documented information that could be used to support the audit
04:56
and this process overall
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By