Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Mapping of information assets. Value assessment. Business Impact assessment
  2. Identify existing safeguards and control measures
  3. Identifcation of risk elements
  4. Assessment of risk level (consequence and probability)
  5. Controls in relation to risk elements
  6. Categorization and prioritization of controls
  7. Approval of controls
  8. Risk treatment. Implementation and follow-up of controls

...

List of possible participants in a risk assessment workshop:

  • Management (defining risk appetite)
  • Information Security Manager/Officer
  • Risk owners / Asset owners
  • Risk assesment facilitator


Risk treatment and residual risk

Description of process


Risk treatment plan

  • A description of the risk to be reduced and controls to implement .
  • Rational for the choice of controls and expected effects
  • Responsible for approving the plan
  • Responsible for implementing the comtrols
  • Activities related to implementation
  • Target and performance criteria and delimitations in relation to the comtrols
  • Reporting and monitoring requirements
  • Plan and timeframes


Risk areas

  • The organization's ownership of ICT
  • Information security policy and guidelines
  • Organization of information security
  • Resources
  • Expertise, skills and safety culture
  • Employee safety
  • Architecture
  • Work processes
  • Roles and responsibilities
  • Establishment and maintenance of portfolio
  • Innovation
  • Decision-making by ICT investments
  • Acquisition, development and maintenance of ICT systems / services
  • Quality assurance
  • Supplier relations
  • Handling of information assets
  • Access control
  • Operation and management
  • Infrastructure
  • Software
  • Data communication security
  • Cryptography
  • Malware and logical attacks
  • Social engineering
  • Theft or destruction
  • Disloyal employees
  • Physical and environmental areas
  • Geopolitical conditions
  • Handling of information security incidents
  • Continuity plans
  • Compliance with laws, rules and agreements
  • Communication


Tools/Aids