Information Risk Assessment Process Overview

For a full breakdown of the methodology within Abriska please refer to the Information Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:

Identify Information and Information Processing Facilities

1. Identify information and determine the impact in terms of CIA
2. Identify supporting resources / information processing facilities
3. Relate information to supporting resources toso consistentlythat value anonce impact againstvalues allhave resourcesbeen assigned to information they will be inherited by the linked supporting resources. How this is done is explained here

Identify and Evaluate the Threats and Vulnerabilities

• Threats are defaulted based on resource type
• Threats must be assessed in terms of consequence and probability
• Threats are linked by default to controls, which is used to calculate the resulting vulnerability score
• Additional specific vulnerabilities can be added

Identify and Evaluate the Controls

• Determine which controls are applicable and determine appropriate owners of controls
• Assess controls including current maturity and proposed control improvements

Outputs

The following outputs are avaiable once the risk assessment process is complete:

Risk Register

Generated risk statements based on the relationships build up through the system.

Risk Score Matrix

Resource based threat risk scores

Risk Treatment Plan

Control based risk improvements

Vulnerability Report

Address specific vulnerabilities to reduce the risk of threats occurring.