Information Risk Assessment Process Overview
For a full breakdown of the methodology within Abriska please refer to the Information Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:
Identify Information and Information Processing Facilities
- Identify information and
determine the impact in terms of CIA Identifysupporting resources / information processing facilities- Relate information to supporting resources
tosoconsistentlythatvalue anonce impactagainstvaluesallhaveresourcesbeen assigned to information they will be inherited by the linked supporting resources. How this is done is explained here
Identify and Evaluate the Threats and Vulnerabilities
- Threats are defaulted based on resource type
- Threats must be assessed in terms of consequence and probability
- Threats are linked by default to controls, which is used to calculate the resulting vulnerability score
- Additional specific vulnerabilities can be added
Identify and Evaluate the Controls
- Determine which controls are applicable and determine appropriate owners of controls
- Assess controls including current maturity and proposed control improvements