ISMS-DOC-06-2 Risk Assessment and Treatment Process

Page 7

Risk Assessment and Treatment Process [Insert classification]

Contents 1

Introduction ............................................................................................................... 8

2

Risk assessment and treatment process ..................................................................... 9 2.1

Criteria for performing information security risk assessments ....................................... 9

2.2

Risk acceptance criteria .............................................................................................. 10

2.3

Process diagram......................................................................................................... 11

2.4

Establish the context .................................................................................................. 12

2.5

Risk identification ...................................................................................................... 12

2.5.1 2.5.2 2.5.3 2.5.4

2.6

Compile/maintain asset inventory ............................................................................................. 13 Identify potential threats ........................................................................................................... 13 Assess existing vulnerabilities .................................................................................................... 14 Identify risk scenarios ................................................................................................................ 14

Risk analysis .............................................................................................................. 14

2.6.1 2.6.2 2.6.3

2.7

Assess the likelihood ................................................................................................................. 14 Assess the impact ...................................................................................................................... 15 Risk classification ....................................................................................................................... 16

Risk evaluation .......................................................................................................... 17

2.7.1

2.8

Risk assessment report .............................................................................................................. 18

Risk treatment ........................................................................................................... 18

2.8.1 2.8.2 2.8.3 2.8.4

Risk treatment options .............................................................................................................. 18 Selection of controls .................................................................................................................. 19 Risk treatment plan ................................................................................................................... 19 Statement of applicability.......................................................................................................... 20

2.9

Management approval ............................................................................................... 20

2.10

Risk monitoring and reporting .................................................................................... 20

2.11

Regular review ........................................................................................................... 20

2.12

Roles and responsibilities ........................................................................................... 21

2.12.1

3

RACI chart ............................................................................................................................. 21

Conclusion................................................................................................................ 22

Figures Figure 1: Risk assessment and treatment process diagram .......................................................... 11 Figure 2: Risk matrix chart .......................................................................................................... 17

Tables Table 1: Risk likelihood guidance ................................................................................................ 15 Table 2: Risk impact guidance..................................................................................................... 16 Table 3: RACI chart ..................................................................................................................... 21

Version 1

Page 7 of 22

[Insert date]

Turn static files into dynamic content formats.

Create a flipbook

Articles inside

2 Risk assessment and treatment process

17min
pages 7-19
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.