Information Risk Assessment Process Overview
For a full breakdown of the methodology within Abriska please refer to the Information Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:
Identify Information and Information Processing Facilities
- Identify
Informationinformation andValuedetermine the impact in terms of CIA - Identify Supporting Resources / Information Processing
Facilitiesfacilities - Relate
Informationinformation toSupportingsupportingResourcesresources to consistently value an impact against all resources
Identify and Evaluate the Threats and Vulnerabilities
- Threats are defaulted based on resource type
- Threats must be assessed in terms of consequence and probability
- Threats are linked by default to controls, which is used to calculate the resulting vulnerability score
- Additional specific vulnerabilities can be added
Identify and Evaluate the Controls
- Determine which controls are applicable and determine appropriate owners of controls
- Assess controls including current maturity and proposed control improvements