1 / 3

Information Security : Risk Assessment and Treatment

Risk assessment (often called risk analysis) is perhaps the most difficult part of implementing ISO 27001, but at the same time, risk assessment (and its processing) is the most important step at the beginning of your information security project u2014 it establishes the basis for information security in your company.

cyberops201
Download Presentation

Information Security : Risk Assessment and Treatment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Security: Risk Assessment & Treatment Cyber Security​, Risk Assessment, Risk Assessment & Treatment, What is Risk Assessment Risk assessment (often called risk analysis) is perhaps the most difficult part of implementing ISO 27001, but at the same time, risk assessment (and its processing) is the most important step at the beginning of your​​information security​ project — it establishes the basis for information security in your company. The question is — why is this so important? The answer is quite simple, despite the fact that many people don't understand it: the main philosophy of ISO 27001 is to search for incidents that may occur (i.e. risk assessment) and then identify the most suitable ways to prevent such incidents. And not only that, you must also evaluate the importance of each risk so that you can focus on the most important risks. Despite the fact that assessment and processing (together with risk management) are complex work, it is often unnecessarily mystified. These 6 basic steps will shed light on what you should do. 1. Risk assessment methodology This is the first step in your risk management journey. You need to determine the rules by which you intend to carry out risk management, as you want to do this the same way throughout the organization — the biggest risk assessment problem arises if different parts of the organization perform risk assessments in different ways. Therefore, you need to determine whether you want to assess risks qualitatively or quantitatively, which scales you will use for a qualitative assessment, what will be an acceptable level of risk, etc. 2. Implementation of risk assessment After you learn the rules, you can begin to determine what potential problems may happen to you — you need to list all your assets, then the threats and vulnerabilities related to these assets, assess the impact and likelihood of each asset / threat / vulnerability set, and ultimately calculate the level of risk. 2. Implementation of risk assessment After you learn the rules, you can begin to determine what potential problems may happen to you — you need to list all your assets, then the threats and vulnerabilities related to these assets, assess the impact and likelihood of each asset / threat / vulnerability set, and ultimately calculate the level of risk. 3. Implement risk treatment Of course, not all identified risks are the same — you should focus on the most important of them, the so-called "unacceptable risks." There are 4 options you can choose to neutralize each unacceptable risk: Using security controls from Appendix A to reduce risks — see this article Security controls from Appendix A of ISO 27001 . Transfer the risk to another party — for example, to an insurance company by purchasing an insurance policy.

  2. Avoiding risk by terminating activities that are too risky, or by performing it in a completely different form. Acceptance of risk — if, for example, the cost of reducing this risk may be higher than the damage caused by it. Here you need to get creative — how to reduce risks with a minimum of investment. It would be very easy if your budget were limitless, but that would never happen. And I must tell you that, unfortunately, your leadership is right — it is possible to achieve the same result with less money - you only need to outline how. ISMS Risk Assessment Report Unlike the previous steps, in this step_.- ou need to document ever hin that ou have done so far. budget were limitless, but that would never happen. And I must tell you that, unfortunately, your leadership is right — it is possible to achieve the same result with less money — you only need to outline how. ISMS Risk Assessment Report Unlike the previous steps, in this step — you need to document everything that you have done so far. Not just for auditors, but you might want to check on your results this or next year. 4. Applicability statement This document actually shows the security profile of your company — based on the results of risk management, you need to list all the security controls you have implemented, why you implemented them and how. This document is also very important because the certification auditor will use it as the main guide in conducting the audit. 5. Risk Management Plan This is a step where you must move from theory to practice. Let's be honest — everything until now, all this work on risk management was exclusively theoretical, but now it's time to show some specific results. 6. This is the goal of the Risk Management Plan - to determine exactly who will implement each security management tool, in what period of time, with what budget, etc. I prefer to call this document "Implementation Plan" or "Action Plan", but let's stick to the terminology used in ISO 27001. Once you have written this document, it will be critical to get its approval from your management, since the implementation of all the security controls that you have planned here will require considerable time and effort. And without their interest you will not achieve any of this. That's all — you started your journey of all the ways how to organize your ​information security​ to a very clear picture of what you need to do. The fact is that ISO 27001 forces you to make this journey in a systematic manner.

  3. Cyberops​ is India’s leading organization in the field of Information security. Advancement in technology and interconnected business ecosystems have combined to increase exposure to cyber attacks. We aim to digitally shield the cyberspace by offering various products and services. We are hovering to influence our proficiency and global footprint in the field of information security and cyber crime investigation. We foster certified training on Information Security and provide penetration testing for security audits, and Cyber Crime Investigation services for various sectors to meet their specific needs. Cyberops​ is the best​​company for​​VAPT​ &​​Penetration Testing in India​. Our services area – Network Security Companies in Delhi Penetration Testing Companies in Delhi VAPT Companies in Delhi Cyber Security Companies in Delhi Website Security Audit Companies in Delhi

More Related