Risk assessment (often called risk analysis) is probably the most complex part of ISO 27001implementation; but at the same time risk assessment (and treatment) is the most important step at the beginning of your information security project – it sets the foundations for information security in your company. Although risk assessment and treatment (together: risk management) is a complex job, it is very often unnecessarily mystified. Of course, not all risks are created equal – you have to focus on the most important ones, so-called ‘unacceptable risks’. Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion. Accept the risk – if, for instance, the cost for mitigating that risk would be higher that the damage itself. This is where you need to get creative – how to decrease the risks with minimum investment.


This document actually shows the security profile of your company – based on the results of the risk treatment you need to list all the controls you have implemented, why you have implemented them and how. This is the purpose of Risk Treatment Plan – to define exactly who is going to implement each control, in which timeframe, with which budget, etc. Once you’ve written this document, it is crucial to get your management approval because it will take considerable time and effort (and money) to implement all the controls that you have planned here. You need to define rules on how you are going to perform the risk management because you want your whole organization to do it the same way – the biggest problem with risk assessment happens if different parts of the organization perform it in a different way.
This document is also very important because the certification auditor will use it as the main guideline for the audit. Let’s be frank – all up to now this whole risk management job was purely theoretical, but now it’s time to show some concrete results.


However, if you’re just looking to do risk assessment once a year, that standard is probably not necessary for you. Therefore, you need to define whether you want qualitative or quantitative risk assessment, which scales you will use for qualitative assessment, what will be the acceptable level of risk, etc. Not only this, you also have to assess the importance of each risk so that you can focus on the most important ones.



Natural disaster kit checklist nz
Fire evacuation procedure example
Tornado preparedness kits


Comments

  1. 10.12.2014 at 14:21:33


    Positive that your generous, and up to 80 percent of the.

    Author: Dasdafsdf
  2. 10.12.2014 at 21:56:45


    Have soon after any sort of unusual.

    Author: ALEX