SlideShare a Scribd company logo

Iso27001 Risk Assessment Approach

Download as PPTX, PDF
T
tschraider

This document provides an overview of ISO27001's risk assessment approach, which involves identifying assets, threats, vulnerabilities and controls to determine inherent and residual risks. Key steps include identifying high value assets, threats against those assets, vulnerabilities that could be exploited by threats, inherent risk levels without controls, existing controls, and residual risk levels with controls in place. Risks still above thresholds after controls would be added to an information security risk register for ongoing treatment and monitoring.

Related topics:
Risk-Management Information Security Risk Assessment
1 of 11
Downloaded 1,891 times
1
2
Most read
3
4
5
6
7
8
Most read
9
Most read
10
11
Information Security Management System (ISMS) ISO27001 Risk Assessment Approach March 2012
2 Security Risk Assessment Overview • The first step in risk assessment is the identification of all information assets in the organisation - i.e. of all assets which may Identify & value affect the security of information in the organisation. assets • A value is assigned to each asset in terms of the worst-case impact the loss of confidentiality, integrity or availability of the asset may have on the organisation. This acts as an asset prioritisation Identify threats mechanism, with only higher-value assets being taken through to the next stage. • The next step is to identify all threats and vulnerabilities associated Identify with the higher-value assets identified. Every asset may be vulnerabilities associated with several threats, and every threat may be associated with several vulnerabilities. Assess inherent • The probability of threats exploiting the vulnerabilities is then risk assessed, along with the impact should this occur, based on the assumption that no controls are in place. From this assessment, a pre-control (or inherent) risk score is calculated. Risk with a Identify controls medium to high score is then taken on to the next step. • Existing controls or mitigating factors which reduce the impact or probability of each risk is identified, and the impact and probability Determine scores are reassessed to reflect the impact of these controls residual risk • Risks with scores above the acceptable risk threshold will then be raised on the Information Security risk register, where mitigating Feed into risk actions will be tracked by the Information Security team, and treatment plan reported and escalated.
3 Asset identification Assets are defined as anything which may affect confidentiality, integrity and availability of information in the organisation Identify & value assets • Information e.g. Human resources data, Financial data, Marketing data, Employee passwords, Source code, System documentation, Intellectual property, Data for regulatory Identify threats requirements, Strategic plans, Employee business contact data, Employee personal contact data, Purchase order data, Network infrastructure design, Internal Web sites Identify vulnerabilities • Technology e.g. Servers, Desktop computers, Laptops, Tablet, Smart phones, Server application software, End-user application software, Development Assess inherent tools, Routers, Network switches, PBXs, Removable media, Power risk supplies, Uninterruptible power supplies • Services e.g. E-mail/scheduling, Instant messaging, Active Directory Identify directory service, Domain Name System (DNS), Dynamic Host controls Configuration Protocol (DHCP), Enterprise management tools, File sharing, Storage, Dial-up remote access, Telephony Virtual Private Networking (VPN) access , Collaboration services (for Determine example, Microsoft SharePoint) residual risk • People e.g. Subject matter experts, administrators, developers, third party support, end-users Feed into risk treatment plan
4 Asset Valuation The asset is valued in terms of the impact of total loss of the asset in terms of confidentiality, integrity or availability. Each asset will given a Identify & value assets High, Medium or Low rating as its value. Assets considered High and Medium will be Identify threats Asset Consequence of Loss of CIA Value Loss of confidentiality, availability or integrity has considerable Identify vulnerabilities High and immediate impact on the organisation's cash flow, operations, legal or contractual obligations, or its reputation. Assess inherent risk Loss of confidentiality, availability or integrity incurs additional Medium costs and has a low or moderate impact on legal or contractual obligations, or the organisation's reputation. Identify controls Loss of confidentiality, availability or integrity does not affect the Low organisation's cash flow, operations, legal or contractual Determine obligations, or its reputation. residual risk Feed into risk treatment plan
5 Identify Threats For each asset, what can impact its confidentiality, integrity, or availability? Identify & value assets • Catastrophic incidents e.g. Fire, Flood, Earthquake, Severe storm, Terrorist attack, Civil unrest/riots, Landslide, Industrial accident Identify threats • Mechanical failure e.g. Power outage, Hardware failure, Network outage, Environmental controls failure, Construction accident Identify vulnerabilities • Non-malicious person e.g. Uninformed employee, Uninformed user Assess inherent • Malicious person e.g. "Hacker, cracker", Computer criminal, risk Industrial espionage, Government sponsored espionage, Social engineering, Disgruntled current employee, Disgruntled former Identify employee, Terrorist, Negligent employee, Dishonest employee controls (bribed or victim of blackmail), Malicious mobile code Determine residual risk Feed into risk treatment plan
6 Identify Vulnerabilities For each asset, are there vulnerabilities that can be exploited by the threat? Identify & value assets • Physical e.g. Unlocked doors, Unlocked windows, Walls susceptible to physical assault, Interior walls do not completely seal the room at Identify threats both the ceiling and floor • Hardware e.g. Missing patches, Outdated firmware, Misconfigured Identify systems, Systems not physically secured, Management protocols vulnerabilities allowed over public interfaces Assess inherent • Software e.g. Out of date antivirus software, Missing risk patches, Poorly written applications, Deliberately placed weaknesses, Configuration errors Identify controls • Communications e.g. Unencrypted network protocols, Connections to multiple networks, Unnecessary protocols allowed, No filtering between network segments Determine residual risk • Human e.g. Poorly defined procedures, Stolen credentials Feed into risk treatment plan
7 Determine Risk Probability For each asset/threat/vulnerability combination, determine the probability of the specific risk materialising: Identify & value assets Probability Guidance • History of regular occurrence. Identify threats • The event will occur (recur) Certain • No special skills or determination required; information asset easily available. Identify vulnerabilities Likely • The event will occur (recur) in most circumstances Assess inherent • Has occurred in the past. risk • The event may well occur (recur) at some time Possible • No special skills required except for time and determination. Identify controls Unlikely • The event could occur (recur) at some time Determine • No history of occurrence. residual risk • The event may only happen in exceptional circumstances Rare • High level of technical or social engineering skill and determination required. Feed into risk treatment plan
8 Determine Risk Impact For each asset/threat/vulnerability combination, consider the business impact should the risk materialise: (to be determined per organisation) Identify & value assets Business Impact Characteristics Rating Identify threats For example: Service disruption / failure – > 1 week; Direct financial loss – > 50% PBT / > 10% fall in share price; Business/ reputation Catastrophic impact – e.g. legal action (including custodial sentence) / extensive external media attention / failure to achieve 1 or more corporate Identify objective vulnerabilities For example: Service disruption / failure – 1-5 days; Direct financial loss – 15-50% PBT; Health & safety incident – e.g. fatality / Major Assess inherent permanent disability; Business/ reputation impact – e.g. legal action / risk national attention from media or regulators For example: Service disruption / failure – 1 day; Direct financial loss – 5-15% PBT; Health & safety incident – e.g. fractures / time off; Identify Moderate controls Business/ reputation impact – e.g. legal action / local media or regulatory attention For example: Service disruption – <1 day; Direct financial loss – < 5% Determine Minor PBT; Health & safety incident – e.g. cuts / bruises; Business / residual risk reputation impact – e.g. complaint or legal action For example: Service disruption – none / minor; Direct financial loss Feed into risk Insignificant – negligible; Health & safety incident – none / very minor; Business / treatment plan reputation impact- systems could be improved
9 Security Risk Assessment Overview The inherent risk score is calculated based on the likelihood and impact values selected in the previous section. (to be determined per Identify & value assets organisation) Medium Asset Value Likelihood Identify threats Rare Unlikely Possible Likely Certain Insignificant 1 2 2 3 4 Impact Minor 2 3 5 6 8 Identify vulnerabilities Moderate 2 5 7 9 11 Major 3 6 9 12 15 Catastrophic 4 8 11 15 19 Assess inherent risk High Asset Identify Value Likelihood controls Rare Unlikely Possible Likely Certain Insignificant 1 2 3 4 5 Determine Minor 2 4 6 8 10 Impact residual risk Moderate 3 6 9 12 15 Major 4 8 12 16 20 Feed into risk treatment plan Catastrophic 5 10 15 20 25
10 Identify controls For each risk with a significant risk rating, identify the existing controls and mitigating factors that reduce the likelihood and impact ratings. Identify & value assets Control examples (from ISO27001 Annex A): • Physical security controls e.g. Secure areas, Equipment security Identify threats • IT operations management controls e.g. Network security management, Data backup, Media handling, Anti- Identify malware, Vulnerability management, Auditing/monitoring vulnerabilities • Access controls e.g. access management, O/S access Assess inherent controls, application access controls, network access risk controls, remote access controls Identify • Secure development controls e.g. security requirements, data controls integrity controls, security design, security testing Determine • Business continuity planning residual risk • Employee security controls e.g. Joiners screening, Terms & Conditions, security training , disciplinary procedures, leavers Feed into risk treatment plan access termination, return of assets
11 Determine post control risk Taking into account the effect of the controls and mitigating factors identified, reassess the probability and impact scores to determine the Identify & value assets post-control risk score. In all likelihood, a number of risks will now score below the ‘significant’ risk threshold. Identify threats Where risks still have an above significant score, these will be raised on the Information Security risk register which will be created as part of the Group IT ISMS implementation. Identify vulnerabilities Risk treatment plans will then be recorded and tracked as part of the Information Security risk management process. Assess inherent risk Identify controls Determine residual risk Feed into risk treatment plan

More Related Content

PPTX
Risk management ISO 27001 Standard
Tharindunuwan9
 
PDF
Guide to Risk Management Framework (RMF)
MetroStar
 
PPSX
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
PPTX
Third Party Risk Management
EC-Council
 
PPTX
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
PDF
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
DOCX
ISO 27001:2013 Implementation procedure
Uppala Anand
 
PPTX
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
Risk management ISO 27001 Standard
Tharindunuwan9
 
Guide to Risk Management Framework (RMF)
MetroStar
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
Third Party Risk Management
EC-Council
 
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
ISO 27001:2013 Implementation procedure
Uppala Anand
 
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 

What's hot (20)

PDF
Information security management system (isms) overview
Julia Urbina-Pineda
 
PDF
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPT
ISO 27001 Benefits
Dejan Kosutic
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
PPTX
Presentation on iso 27001-2013, Internal Auditing and BCM
Shantanu Rai
 
PPTX
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
A to Z of Information Security Management
Mark Conway
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PDF
Cyber Threat Intelligence
seadeloitte
 
PDF
Why ISO27001 For My Organisation
Vigilant Software
 
PDF
Iso27001- Nashwan Mustafa
Fahmi Albaheth
 
PDF
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions
 
PPTX
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
PPSX
Board and Cyber Security
Leon Fouche
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
PDF
Isms awareness presentation
Pranay Kumar
 
DOCX
Iso 27001 2013 Standard Requirements
Uppala Anand
 
PDF
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
 
PPT
Risk Assessment Process NIST 800-30
timmcguinness
 
Information security management system (isms) overview
Julia Urbina-Pineda
 
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 Benefits
Dejan Kosutic
 
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Shantanu Rai
 
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
A to Z of Information Security Management
Mark Conway
 
27001 awareness Training
Dr Madhu Aman Sharma
 
Cyber Threat Intelligence
seadeloitte
 
Why ISO27001 For My Organisation
Vigilant Software
 
Iso27001- Nashwan Mustafa
Fahmi Albaheth
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions
 
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
Board and Cyber Security
Leon Fouche
 
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Isms awareness presentation
Pranay Kumar
 
Iso 27001 2013 Standard Requirements
Uppala Anand
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
 
Risk Assessment Process NIST 800-30
timmcguinness
 
Ad

Similar to Iso27001 Risk Assessment Approach (20)

PPTX
MIS: Information Security Management
Jonathan Coleman
 
PPT
Rm
ansulag19
 
PPTX
Gainful Information Security 2012 services
Cade Zvavanjanja
 
PDF
Outsourcing
karlhennessy
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
PDF
My_notes_part1.pdf
PhilLopez4
 
PDF
Ch07 Managing Risk
phanleson
 
PDF
Risk management by Deepak kumar dwivedi
Em Red
 
PDF
Vskills Certified Network Security Professional Sample Material
Vskills
 
PDF
CISSP Summary V1.1
christianreina
 
PPT
Risk Assessment And Management
vikasraina
 
PDF
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
PPTX
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
PPTX
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
PDF
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
KEY
Security architecture for LSE 2009
Vladimir Jirasek
 
PPTX
Cyber Security # Lec 3
Kabul Education University
 
PPTX
Information security management (bel g. ragad)
Rois Solihin
 
PPTX
Information Security By Design
Nalneesh Gaur
 
PDF
Information Security in the Gaming World
Dimitrios Stergiou
 
MIS: Information Security Management
Jonathan Coleman
 
Rm
ansulag19
 
Gainful Information Security 2012 services
Cade Zvavanjanja
 
Outsourcing
karlhennessy
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
My_notes_part1.pdf
PhilLopez4
 
Ch07 Managing Risk
phanleson
 
Risk management by Deepak kumar dwivedi
Em Red
 
Vskills Certified Network Security Professional Sample Material
Vskills
 
CISSP Summary V1.1
christianreina
 
Risk Assessment And Management
vikasraina
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
Sam Bowne
 
Security architecture for LSE 2009
Vladimir Jirasek
 
Cyber Security # Lec 3
Kabul Education University
 
Information security management (bel g. ragad)
Rois Solihin
 
Information Security By Design
Nalneesh Gaur
 
Information Security in the Gaming World
Dimitrios Stergiou
 
Ad

Iso27001 Risk Assessment Approach

  • 1. Information Security Management System (ISMS) ISO27001 Risk Assessment Approach March 2012
  • 2. 2 Security Risk Assessment Overview • The first step in risk assessment is the identification of all information assets in the organisation - i.e. of all assets which may Identify & value affect the security of information in the organisation. assets • A value is assigned to each asset in terms of the worst-case impact the loss of confidentiality, integrity or availability of the asset may have on the organisation. This acts as an asset prioritisation Identify threats mechanism, with only higher-value assets being taken through to the next stage. • The next step is to identify all threats and vulnerabilities associated Identify with the higher-value assets identified. Every asset may be vulnerabilities associated with several threats, and every threat may be associated with several vulnerabilities. Assess inherent • The probability of threats exploiting the vulnerabilities is then risk assessed, along with the impact should this occur, based on the assumption that no controls are in place. From this assessment, a pre-control (or inherent) risk score is calculated. Risk with a Identify controls medium to high score is then taken on to the next step. • Existing controls or mitigating factors which reduce the impact or probability of each risk is identified, and the impact and probability Determine scores are reassessed to reflect the impact of these controls residual risk • Risks with scores above the acceptable risk threshold will then be raised on the Information Security risk register, where mitigating Feed into risk actions will be tracked by the Information Security team, and treatment plan reported and escalated.
  • 3. 3 Asset identification Assets are defined as anything which may affect confidentiality, integrity and availability of information in the organisation Identify & value assets • Information e.g. Human resources data, Financial data, Marketing data, Employee passwords, Source code, System documentation, Intellectual property, Data for regulatory Identify threats requirements, Strategic plans, Employee business contact data, Employee personal contact data, Purchase order data, Network infrastructure design, Internal Web sites Identify vulnerabilities • Technology e.g. Servers, Desktop computers, Laptops, Tablet, Smart phones, Server application software, End-user application software, Development Assess inherent tools, Routers, Network switches, PBXs, Removable media, Power risk supplies, Uninterruptible power supplies • Services e.g. E-mail/scheduling, Instant messaging, Active Directory Identify directory service, Domain Name System (DNS), Dynamic Host controls Configuration Protocol (DHCP), Enterprise management tools, File sharing, Storage, Dial-up remote access, Telephony Virtual Private Networking (VPN) access , Collaboration services (for Determine example, Microsoft SharePoint) residual risk • People e.g. Subject matter experts, administrators, developers, third party support, end-users Feed into risk treatment plan
  • 4. 4 Asset Valuation The asset is valued in terms of the impact of total loss of the asset in terms of confidentiality, integrity or availability. Each asset will given a Identify & value assets High, Medium or Low rating as its value. Assets considered High and Medium will be Identify threats Asset Consequence of Loss of CIA Value Loss of confidentiality, availability or integrity has considerable Identify vulnerabilities High and immediate impact on the organisation's cash flow, operations, legal or contractual obligations, or its reputation. Assess inherent risk Loss of confidentiality, availability or integrity incurs additional Medium costs and has a low or moderate impact on legal or contractual obligations, or the organisation's reputation. Identify controls Loss of confidentiality, availability or integrity does not affect the Low organisation's cash flow, operations, legal or contractual Determine obligations, or its reputation. residual risk Feed into risk treatment plan
  • 5. 5 Identify Threats For each asset, what can impact its confidentiality, integrity, or availability? Identify & value assets • Catastrophic incidents e.g. Fire, Flood, Earthquake, Severe storm, Terrorist attack, Civil unrest/riots, Landslide, Industrial accident Identify threats • Mechanical failure e.g. Power outage, Hardware failure, Network outage, Environmental controls failure, Construction accident Identify vulnerabilities • Non-malicious person e.g. Uninformed employee, Uninformed user Assess inherent • Malicious person e.g. "Hacker, cracker", Computer criminal, risk Industrial espionage, Government sponsored espionage, Social engineering, Disgruntled current employee, Disgruntled former Identify employee, Terrorist, Negligent employee, Dishonest employee controls (bribed or victim of blackmail), Malicious mobile code Determine residual risk Feed into risk treatment plan
  • 6. 6 Identify Vulnerabilities For each asset, are there vulnerabilities that can be exploited by the threat? Identify & value assets • Physical e.g. Unlocked doors, Unlocked windows, Walls susceptible to physical assault, Interior walls do not completely seal the room at Identify threats both the ceiling and floor • Hardware e.g. Missing patches, Outdated firmware, Misconfigured Identify systems, Systems not physically secured, Management protocols vulnerabilities allowed over public interfaces Assess inherent • Software e.g. Out of date antivirus software, Missing risk patches, Poorly written applications, Deliberately placed weaknesses, Configuration errors Identify controls • Communications e.g. Unencrypted network protocols, Connections to multiple networks, Unnecessary protocols allowed, No filtering between network segments Determine residual risk • Human e.g. Poorly defined procedures, Stolen credentials Feed into risk treatment plan
  • 7. 7 Determine Risk Probability For each asset/threat/vulnerability combination, determine the probability of the specific risk materialising: Identify & value assets Probability Guidance • History of regular occurrence. Identify threats • The event will occur (recur) Certain • No special skills or determination required; information asset easily available. Identify vulnerabilities Likely • The event will occur (recur) in most circumstances Assess inherent • Has occurred in the past. risk • The event may well occur (recur) at some time Possible • No special skills required except for time and determination. Identify controls Unlikely • The event could occur (recur) at some time Determine • No history of occurrence. residual risk • The event may only happen in exceptional circumstances Rare • High level of technical or social engineering skill and determination required. Feed into risk treatment plan
  • 8. 8 Determine Risk Impact For each asset/threat/vulnerability combination, consider the business impact should the risk materialise: (to be determined per organisation) Identify & value assets Business Impact Characteristics Rating Identify threats For example: Service disruption / failure – > 1 week; Direct financial loss – > 50% PBT / > 10% fall in share price; Business/ reputation Catastrophic impact – e.g. legal action (including custodial sentence) / extensive external media attention / failure to achieve 1 or more corporate Identify objective vulnerabilities For example: Service disruption / failure – 1-5 days; Direct financial loss – 15-50% PBT; Health & safety incident – e.g. fatality / Major Assess inherent permanent disability; Business/ reputation impact – e.g. legal action / risk national attention from media or regulators For example: Service disruption / failure – 1 day; Direct financial loss – 5-15% PBT; Health & safety incident – e.g. fractures / time off; Identify Moderate controls Business/ reputation impact – e.g. legal action / local media or regulatory attention For example: Service disruption – <1 day; Direct financial loss – < 5% Determine Minor PBT; Health & safety incident – e.g. cuts / bruises; Business / residual risk reputation impact – e.g. complaint or legal action For example: Service disruption – none / minor; Direct financial loss Feed into risk Insignificant – negligible; Health & safety incident – none / very minor; Business / treatment plan reputation impact- systems could be improved
  • 9. 9 Security Risk Assessment Overview The inherent risk score is calculated based on the likelihood and impact values selected in the previous section. (to be determined per Identify & value assets organisation) Medium Asset Value Likelihood Identify threats Rare Unlikely Possible Likely Certain Insignificant 1 2 2 3 4 Impact Minor 2 3 5 6 8 Identify vulnerabilities Moderate 2 5 7 9 11 Major 3 6 9 12 15 Catastrophic 4 8 11 15 19 Assess inherent risk High Asset Identify Value Likelihood controls Rare Unlikely Possible Likely Certain Insignificant 1 2 3 4 5 Determine Minor 2 4 6 8 10 Impact residual risk Moderate 3 6 9 12 15 Major 4 8 12 16 20 Feed into risk treatment plan Catastrophic 5 10 15 20 25
  • 10. 10 Identify controls For each risk with a significant risk rating, identify the existing controls and mitigating factors that reduce the likelihood and impact ratings. Identify & value assets Control examples (from ISO27001 Annex A): • Physical security controls e.g. Secure areas, Equipment security Identify threats • IT operations management controls e.g. Network security management, Data backup, Media handling, Anti- Identify malware, Vulnerability management, Auditing/monitoring vulnerabilities • Access controls e.g. access management, O/S access Assess inherent controls, application access controls, network access risk controls, remote access controls Identify • Secure development controls e.g. security requirements, data controls integrity controls, security design, security testing Determine • Business continuity planning residual risk • Employee security controls e.g. Joiners screening, Terms & Conditions, security training , disciplinary procedures, leavers Feed into risk treatment plan access termination, return of assets
  • 11. 11 Determine post control risk Taking into account the effect of the controls and mitigating factors identified, reassess the probability and impact scores to determine the Identify & value assets post-control risk score. In all likelihood, a number of risks will now score below the ‘significant’ risk threshold. Identify threats Where risks still have an above significant score, these will be raised on the Information Security risk register which will be created as part of the Group IT ISMS implementation. Identify vulnerabilities Risk treatment plans will then be recorded and tracked as part of the Information Security risk management process. Assess inherent risk Identify controls Determine residual risk Feed into risk treatment plan