Please enable JavaScript.

Coggle requires JavaScript to display documents.

Almeera ISO 27005:2013 almeera_logo_290x50_1 (Risk management process (5…

- - - - Define criteria for assessing consequences and assessing the likelihood of the risk.
      - Define how the risk will be calculated.
      - Define how to identify the risk owners.
      - Define criteria for accepting risks.
      - Define how to identify the risks that could cause the loss of confidentiality, integrity, and/or availability of your information.
    - - Risk identification: What are the risks. Assets, threats and vulnerabilities
      - Risk owners:Basically, you should choose a person who is both interested in resolving a risk, and positioned highly enough in the organization to do something about it.
      - Assessing consequences and likelihood: You should assess separately the consequences and likelihood for each of your risks; you are completely free to use whichever scales you like – e.g., Low-Medium-High, or 1 to 5, or 1 to 10 – whatever suits you best. Of course, if you want to make it simple, go for Low-Medium-High.
      - Method of risk calculation. This is usually done through addition of consequences and likelihood (e.g., 2 + 5 = 7) or through multiplication (e.g., 2 x 5 = 10). If you use scales Low-Medium-High, then this is the same as using scale 1-2-3, so you have numbers again for calculation.
      - Criteria for accepting risks. If your method of risk calculation produces values from 1 to 10, then you can decide that an acceptable level of risk is, e.g., 7 – this would mean that only the risks valued at 8, 9, and 10 need treatment. Alternatively, you can examine each individual risk and decide which should be treated or not based on your insight and experience, using no pre-defined values. In any case, the level of acceptable risk will have to be in line with your business strategy – if you are, e.g., a conservative organization like a bank, then your acceptable level of risk will be lower.
    - - Documentation tip: (mandatory) A document called Risk assessment methodology or Risk management methodology.
      - The risk assessment process, including method of risk identification, how the level of risk is determined, assessment scales, method of risk calculation, how to determine the risk owner, the acceptable level of risk, how the decision on risk treatment is made, which tools to use, etc.
      - The risk treatment process, including responsibilities and documentation.
      - Laws and regulations, contractual requirements related to your risk management.
      - The review period – normally once a year, or more often in the case of some bigger changes. See also section Regular review of the risk assessment and treatment (clause 8.2)2.9 for details. Roles in the whole process – please see sections about performing risk assessment and risk treatment.
      - Which documents need to be produced – please see sections about performing risk assessment and risk treatment.
      - Who needs to communicate which information to whom, and which reports are needed.
      - How to protect the confidentiality of the information produced during the assessment.