< back

Information Risk Assessment Process Overview

For a full breakdown of the methodology within Abriska please refer to the Information Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:

Identify Information and Information Processing Facilities

Identify information and determine the impact in terms of CIA
Identify ~~Supporting~~supporting ~~Resources~~resources / ~~Information~~information ~~Processing~~processing facilities
Relate information to supporting resources to consistently value an impact against all resources

Identify and Evaluate the Threats and Vulnerabilities

Threats are defaulted based on resource type
Threats must be assessed in terms of consequence and probability
Threats are linked by default to controls, which is used to calculate the resulting vulnerability score
Additional specific vulnerabilities can be added

Identify and Evaluate the Controls

Determine which controls are applicable and determine appropriate owners of controls
Assess controls including current maturity and proposed control improvements

Outputs

The following outputs are avaiable once the risk assessment process is complete:

Risk Register

Generated risk statements based on the relationships build up through the system.

Risk Score Matrix

Resource based threat risk scores

Risk Treatment Plan

Control based risk improvements

Vulnerability Report

Address specific vulnerabilities to reduce the risk of threats occurring.