Information Security Risk assessment.
In this video, we will cover the Clause 8.2 requirements,
and we will also take a look at how
is different to close 6.2.
performing information security risk assessments
It's quite easy, and there is not a lot of active work that needs to go into this. Besides, of course, doing the actual risk assessment, which can be quite intense.
How you go about doing your risk assessment is generally set out in Clause six.
is to ensure that you perform regular risk assessments
and that you are reassessing your completed risk treatment activities
and feeding these back into your risk assessment processes
and your statement of applicability.
There should be a defined frequency for performing risk assessments,
whether it be quarterly monthly. Whatever the case is,
it is also important that risks from any changes
our assist and fit into the risk management process
when you are audited,
especially during your eyes. So 27,001 certification audits
the auditors were generally want to see evidence
that you have performed your risk assessments as per your defined frequency.
This is especially true if you're running a more mature SMS,
so to summarize some of the key points,
the execution of your risk assessment process
must be performed. As per your defined frequency,
you would also they need to consider changes to your environment organization
or the ice miss itself
and any other change that may require an additional risk assessment
or service input into your existing risk assessments.
This is especially true for unplanned changes,
as was covered in this in 6.1.
The level of detail in your risk assessments performed can become greater with each iteration that is performed.
Generally, you would start at a high level and end up going into a lot more detail for each iteration performed.
For your documented information,
it should be easy to show documented information
as you will have your risk register
meeting minutes off the risk assessment workshops,
communication on the results to relevant parties
The key here is to demonstrate that you have performed these assessments
as per your defined frequency,
so you must be able to show that there have been multiple assessments
and if there were any differences between the assessments,
which generally there would be
as your risk level should come down when new risks would be identified,
They would also be documentation related to your risk treatment activities
and where treatment activities have been completed.
You would expect your risk level to drop.
This is especially true in areas where controls are successfully implemented and effective
as this would provide a greater level of mitigation against your identified risk.
Another piece of documentation
would be your attendance register from risk workshops.
It is always handy to maintain an attendance register
as this can easily show the stakeholders that were involved in the risk assessment workshops,
especially of top management, has been involved.
This attendance register would also service evidence for a number of different causes,
including demonstrating top management commitment
In this lesson, we covered the re performance of a risk assessment
and that generally risk assessments are done as per your defined frequency intervals.
Auditors can choose toe ordered both clause six and eight at the same time for efficiency purposes,
documented information that could be used to support the audit
and this process overall