Information Risk Assessment Process Overview
For a full breakdown of the methodology within Abriska please refer to the Information Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:
Identify Information and Information Processing Facilities
- Identify information and determine the impact in terms of CIA
- Identify
SupportingsupportingResourcesresources /InformationinformationProcessingprocessing facilities - Relate information to supporting resources to consistently value an impact against all resources
Identify and Evaluate the Threats and Vulnerabilities
- Threats are defaulted based on resource type
- Threats must be assessed in terms of consequence and probability
- Threats are linked by default to controls, which is used to calculate the resulting vulnerability score
- Additional specific vulnerabilities can be added
Identify and Evaluate the Controls
- Determine which controls are applicable and determine appropriate owners of controls
- Assess controls including current maturity and proposed control improvements