Not logged in - Login
< back

Information Risk Assessment Process Overview

For a full breakdown of the methodology within Abriska please refer to the Information Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:

  1. ==Identify

    Identify Information and Information Processing Facilities==

    2. Facilities
    1. Identify Information and Value in terms of CIA
    2. Identify Supporting Resources / Information Processing Facilities
    3. Relate Information to Supporting Resources

    Identify and Evaluate the Threats and Vulnerabilities

    • Threats are defaulted based on resource type
    • Threats must be assessed in terms of consequence and probability
    • Threats are linked by default to controls, which is used to calculate the resulting vulnerability score
    • Additional specific vulnerabilities can be added

    Identify and Evaluate the Controls

    • Determine which controls are applicable and determine appropriate owners of controls
    • Assess controls including current maturity and proposed control improvements

    Outputs

    The following outputs are avaiable once the risk assessment process is complete:

    Risk Register

    Generated risk statements based on the relationships build up through the system.

    Risk Score Matrix

    Resource based threat risk scores

    Risk Treatment Plan

    Control based risk improvements

    Vulnerability Report

    Address specific vulnerabilities to reduce the risk of threats occurring.