Information Security Risk Assessment

00:02

Listen 6.2

00:04

Information Security Risk assessment.

00:09

In this video, we will cover the Clause 8.2 requirements,

00:14

and we will also take a look at how

00:17

Clause 8.2

00:18

is different to close 6.2.

00:27

So this clause 8.2

00:30

performing information security risk assessments

00:33

It's quite easy, and there is not a lot of active work that needs to go into this. Besides, of course, doing the actual risk assessment, which can be quite intense.

00:44

How you go about doing your risk assessment is generally set out in Clause six.

00:50

The trick here

00:52

during 48.2,

00:54

is to ensure that you perform regular risk assessments

00:58

and that you are reassessing your completed risk treatment activities

01:03

and feeding these back into your risk assessment processes

01:07

and your statement of applicability.

01:10

There should be a defined frequency for performing risk assessments,

01:14

whether it be quarterly monthly. Whatever the case is,

01:19

it is also important that risks from any changes

01:25

our assist and fit into the risk management process

01:30

when you are audited,

01:30

especially during your eyes. So 27,001 certification audits

01:37

the auditors were generally want to see evidence

01:40

that you have performed your risk assessments as per your defined frequency.

01:45

This is especially true if you're running a more mature SMS,

01:53

so to summarize some of the key points,

01:57

the execution of your risk assessment process

02:00

must be performed. As per your defined frequency,

02:06

you would also they need to consider changes to your environment organization

02:10

or the ice miss itself

02:13

and any other change that may require an additional risk assessment

02:17

or service input into your existing risk assessments.

02:23

This is especially true for unplanned changes,

02:25

as was covered in this in 6.1.

02:30

The level of detail in your risk assessments performed can become greater with each iteration that is performed.

02:37

Generally, you would start at a high level and end up going into a lot more detail for each iteration performed.

02:51

For your documented information,

02:53

it should be easy to show documented information

02:57

as you will have your risk register

02:59

meeting minutes off the risk assessment workshops,

03:01

communication on the results to relevant parties

03:06

and so forth.

03:07

The key here is to demonstrate that you have performed these assessments

03:12

as per your defined frequency,

03:15

so you must be able to show that there have been multiple assessments

03:20

and if there were any differences between the assessments,

03:23

which generally there would be

03:25

as your risk level should come down when new risks would be identified,

03:31

They would also be documentation related to your risk treatment activities

03:37

and where treatment activities have been completed.

03:39

You would expect your risk level to drop.

03:43

This is especially true in areas where controls are successfully implemented and effective

03:49

as this would provide a greater level of mitigation against your identified risk.

03:55

Another piece of documentation

03:58

would be your attendance register from risk workshops.

04:03

It is always handy to maintain an attendance register

04:06

as this can easily show the stakeholders that were involved in the risk assessment workshops,

04:12

especially of top management, has been involved.

04:15

This attendance register would also service evidence for a number of different causes,

04:21

including demonstrating top management commitment

04:30

to summarize.

04:31

In this lesson, we covered the re performance of a risk assessment

04:36

and that generally risk assessments are done as per your defined frequency intervals.

04:44

Auditors can choose toe ordered both clause six and eight at the same time for efficiency purposes,

04:51

documented information that could be used to support the audit