Information Risk Assessment Process Overview
For a full breakdown of the methodology within Abriska please refer to the methodInformation statement.Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:
Identify Information and Information Processing Facilities
- Identify Information and Value in terms of CIA
- Identify Supporting Resources / Information Processing Facilities
- Relate Information to Supporting Resources
Identify and Evaluate the Threats and Vulnerabilities
- Threats are defaulted based on resource type
- Threats must be assessed in terms of consequence and probability
- Threats are linked by default to controls, which is used to calculate the resulting vulnerability score
- Additional specific vulnerabilities can be added
Identify and Evaluate the Controls
- Determine which controls are applicable and determine appropriate owners of controls
- Assess controls including current maturity and proposed control improvements