Not logged in - Login
< back

Information Risk Assessment Process Overview

For a full breakdown of the methodology within Abriska please refer to the Information Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:

Identify Information and Information Processing Facilities

  1. Identify information and supporting resources / information processing facilities
  2. Relate information to supporting resources so that once impact values have been assigned to information they will be inherited by the linked supporting resources. How this is done is explained here
  3. For each information resource assign impact values for confidentiality, integrity and availability. This is done from the Resources screen and achieved by updating the 'Resource Attribute' (the attribute descriptions are default values but can be amended in required from the 'RA Setup' option under Risk Analysis from the main menu)

Identify and Evaluate the Threats and Vulnerabilities

  • ThreatsFirst arethe defaultedentity that relates to the scope of the risk assessment needs to be created and set up in Abriska.
  • Part of the setup process is to assign resources to the entity.
  • This will result in threats being linked to the entity based on the resource typetypes that are selected as being within the scope.
  • ThreatsBecause Abriska deals with both information risk in line with ISO 27001 and business continuity risk assessment, the list of threats that are linked may include some that are not appropriate to the type of risk assessment being completed.
  • From the list of threats that is presented when selecting the ‘View Applicable Threats’ option from the entity workflow, those that are not appropriate to the scope and type of risk assessment must be assesseddeselected.
  • To do this, select the threat and uncheck the ‘Applicable’ checkbox. Text should also be entered in termsthe of‘Justification’ consequencebox to support the deselection.
  • There are three components to a risk assessment that are applied to every threat/asset (resource) combination. These are impact, probability and probabilityvulnerability
  • Threats are linked by default to controls, which is used to calculate the resulting vulnerability score
  • score. However, Additionaladditional specific vulnerabilities can be added on the ‘Identify Vulnerabilities’ screen in the entity workflow. There is a library of vulnerabilities to choose from, or a different one can be added.
  • The impact was defined against each of the resources, however, for each threat the relationship of it of confidentiality, integrity and availability must be assigned. A total score of 100 must be shared between these three attributes.
  • Finally, the probability of each threat materialising must be assessed. The criteria to be used in the assessment are included in Abriska, but can be changed if required. The threat probability should be assessed ignoring any controls that are in place as far as possible (the effect of controls is taken into account in the vulnerability score, so would be ‘double counted’ if taken into account at this stage).

Identify and Evaluate the Controls

  • Determine which controls are applicable and determine appropriate owners of controls
  • Assess controls including current maturity and proposed control improvements

Outputs

The following outputs are avaiable once the risk assessment process is complete:

Risk Register

Generated risk statements based on the relationships build up through the system.

Risk Score Matrix

Resource based threat risk scores

Risk Treatment Plan

Control based risk improvements

Vulnerability Report

Address specific vulnerabilities to reduce the risk of threats occurring.