SIG-ISM has published a white paper on risk management.
A reference to ISO 27001 chapter 5. leadership should be added her, specifically detailing how the organization addresses risk responsibilities and residual risks.
Roles
- Risk owner
- Risk assessment facilitator
Risk assessment process
The risk assessment process can be divided into the following activities:
- Mapping of information assets and value assessment
- Identify existing safeguards
- Identifcation of risk elements
- Assessment of risk level (consequence and probability)
- Controls in relation to risk factors
- Categorization and prioritization of controls
- Approval of controls
- Risk treatment. Implementation and follow-up of controls
Activity 2 to 5 is usually done in a risk assessment workshop.
Tools/Aids
- Risk assessment spreadsheet
- Examples of likelihood (Probability)
- Examples of impact (consequences)
- Overview of risk areas
- Risk inventory