This is the third part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.
The RISK ASSESSMENT PROCESS identifies the risk to the organisation and prioritises the risk as a High. Medium or Low risk; once these have been determined then it is necessary to transfer the high and medium risks into a risk treatment plan, but more of that later.
The first step is to identify which assets are to be included in the risk assessment process; these are normally entered into an asset register.
Some examples of these assets will be:
- computer back-up systems
- internal computer operating and package systems
- desktops, laptops and servers,
- active directory,
- data links,
- Other remote connections, telephony and voice recording, human resources, buildings, utilities and emergency power systems,
- Secure storage of documents and records.
This list is not exhaustive and will need to be tailored to individual organisations.
The next step is to decide on the value to the organisation; this is not necessarily the monetary value to the organisation but the value in terms of information security. You could use any scale but for ease we tend to use low medium and high value (1, 2 or 3)
Now score each asset against the three main elements of 27001, C.I A. Confidentiality, Integrity and Availability, again using the low , medium or high method. The scores are entered into a matrix.
- Applying appropriate controls to reduce the risk
- Knowingly and objectively accepting risks, providing they clearly satisfy the organisation policy and criteria for risk acceptance
- Avoiding risks by not allowing actions that would cause the risk to occur
- Transferring the associated risks to other parties. e.g. insurers or suppliers
There are other methods that can be used for risk assessment and these are equally valid. We feel that it is important to have a risk assessment process that is effective but easy to administer and our method meets these criteria.
Stage four of this series will look at the documentation needed for this revised Standard.