Scribd Logo
Upload

Welcome to Scribd!

  • Risk Assessment and Treatment Methodology

    Uploaded by

    Ahmad Nawaz
    257 views4 pages
    This document defines the methodology for assessing and treating information risks according to ISO/IEC 27001. It outlines assessing assets and risks, determining risk owners, accepting risks below level 3, and treating unacceptable risks through security controls or other options. Risks are reviewed annually and results reported to management through an automated register and report.

    Original Description:

    Original Title

    Risk Assessment and Risk Treatment Methodology

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document defines the methodology for assessing and treating information risks according to ISO/IEC 27001. It outlines assessing assets and risks, determining risk owners, accepting risks below level 3, and treating unacceptable risks through security controls or other options. Risks are reviewed annually and results reported to management through an automated register and report.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    257 views4 pages

    Risk Assessment and Treatment Methodology

    Uploaded by

    Ahmad Nawaz
    This document defines the methodology for assessing and treating information risks according to ISO/IEC 27001. It outlines assessing assets and risks, determining risk owners, accepting risks below level 3, and treating unacceptable risks through security controls or other options. Risks are reviewed annually and results reported to management through an automated register and report.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    RISK ASSESSMENT AND RISK TREATMENT

    METHODOLOGY
    Created by: Ahmad Nawaz
    Approved
    Ahmad Nawaz
    by:

    Change history
    Date Version Created by Description of change
    January 1, Ahmad
    V0.1 New status: in progress. Comment: /
    2022 Nawaz
    January 1, Ahmad
    V0.1 New status: in review. Comment: /
    2022 Nawaz
    January 1, Ahmad
    V0.2 New status: in progress. Comment: /
    2022 Nawaz
    January 1, Ahmad
    V0.2 New status: in approval. Comment: /
    2022 Nawaz
    January 1, Ahmad
    V1 New status: approved. Comment: /
    2022 Nawaz
    1. Purpose, scope and users
    The purpose of this document is to define the methodology for assessment and treatment of
    information risks in Touchstone, and to define the acceptable level of risk according to the ISO/IEC
    27001 standard.

    Risk assessment and risk treatment are applied to the entire scope of the Information Security
    Management System (ISMS), i.e., to all assets that are used within the organization or which could
    have an impact on information security within the ISMS.

    Users of this document are all employees of Touchstone who take part in risk assessment and risk
    treatment.

    2. Reference documents
     ISO/IEC 27001 standard, clauses 6.1.2, 6.1.3, 8.2, and 8.3
     Information Security Policy
     Register of legal, contractual and other requirements
     Statement of Applicability
     Risk Treatment Plan

    3. Risk assessment and risk treatment methodology


    3.1. Risk assessment
    3.1.1. The process
    Risk assessment is implemented through the Risk register on the {Please Write What is
    appropriate}. The risk assessment and treatment process is coordinated by the Security Officer,
    identification of threats and vulnerabilities is performed by asset owners, and assessment of impact
    and likelihood is also performed by asset owners.

    3.1.2. Assets, vulnerabilities and threats

    The first step in risk assessment is the identification of all assets in the ISMS scope – i.e., of all
    assets that may affect the confidentiality, integrity, and availability of information in the organization.
    Assets may include documents and data in paper, electronic, or other forms, software and
    databases, human resources, IT and communication equipment, infrastructure, and third-party
    services. When identifying assets, it is also necessary to identify their owners – the person or
    organizational unit responsible for each asset.

    The next step is to identify all threats and vulnerabilities associated with each asset. Threats and
    vulnerabilities are identified using catalogues provided in the Risk register. Every asset may be
    associated with several vulnerabilities, and every vulnerability may be associated with several
    threats.

    3.1.3. Determining the risk owners

    For each risk, a risk owner has to be identified – the person or organizational unit responsible for
    each risk.

    3.1.4. Impact and likelihood

    Asset owners must assess consequences for each combination of threats and vulnerabilities for an
    individual asset if such a risk materializes:

    Loss of confidentiality, availability, or integrity does not affect the organization's


    Low impact 0
    cash flow, legal or contractual obligations, or its reputation.
    Loss of confidentiality, availability, or integrity incurs costs and has a low or
    Moderate
    1 moderate impact on legal or contractual obligations, or the organization's
    impact
    reputation.
    Loss of confidentiality, availability, or integrity has considerable and/or
    High impact 2 immediate impact on the organization's cash flow, operations, legal or contractual
    obligations, or its reputation.

    After the assessment of consequences, it is necessary to assess the likelihood of occurrence of


    such a risk, i.e., the probability that a threat will exploit the vulnerability of the respective asset:

    Low Existing security controls are strong and have so far provided an adequate level
    0
    likelihood of protection. No new incidents are expected in the future.
    Moderate Existing security controls are moderate and have mostly provided an adequate
    1
    likelihood level of protection. New incidents are possible, but not highly likely.
    High Existing security controls are low or ineffective. Such incidents have a high
    2
    likelihood likelihood of occurring in the future.
    By entering the values of impact and likelihood into the Risk register, the level of risk is calculated
    automatically by adding up the two values.

    3.2. Risk acceptance criteria

    Values 0, 1, and 2 are acceptable risks, while values 3 and 4 are unacceptable risks. Unacceptable
    risks must be treated.

    3.3. Risk treatment

    One or more treatment options must be selected for risks valued at 3 and 4:

    1. Selection of security controls, or controls from Annex A of the ISO/IEC 27001 standard, or
    some other security controls
    2. Transferring the risks to a third party – e.g., by purchasing an insurance policy or signing a
    contract with suppliers or partners
    3. Avoiding the risk by discontinuing a business activity that causes such risk
    4. Accepting the risk – this option is allowed only if the selection of other risk treatment options
    would cost more than the potential impact should such risk materialize

    The selection of options is implemented through the Risk register. Usually, option 1 is selected:
    selection of one or more security controls.

    The treatment of risks related to outsourced processes must be addressed through the contracts
    with responsible third parties.

    In the case of option 1 (selection of security controls), a new value of impact and likelihood is
    automatically calculated in the Risk register based on the selected controls, in order to show the
    effectiveness of the planned controls - this is called "residual risk".

    3.4. Regular reviews of risk assessment and risk treatment

    Risk owners must review existing risks and require of the Security Officer to update the Risk register
    in line with newly identified risks. The review is conducted at least once a year, or more frequently in
    the case of significant organizational changes, significant changes in technology, a change in
    business objectives, changes in the business environment, or any other change that can impact the
    ISMS.

    3.5. Statement of Applicability and Risk Treatment Plan

    The Security Officer must document the following in the Statement of Applicability: the justification
    for each applicable and non-applicable control from Annex A of the ISO/IEC 27001 standard, and
    the controls that were implemented prior to the ISO 27001 project; all other information is filled out
    automatically by the {Please Write What is appropriate}.

    Risk owners must decide whether or not they accept each residual risk in the Risk register.

    The Security Officer will prepare the Risk treatment plan, in which the implementation of controls will
    be planned. The top management needs to approve the required resources for the execution of the
    plan, while risk owners must approve the whole Risk treatment plan.
    3.6. Reporting

    The results of risk assessment and risk treatment, as well as the results of all of the subsequent
    reviews, will be automatically generated through the {Please Write What is appropriate} and made
    available in the Risk Assessment and Treatment Report.

    The Security Officer will monitor the progress of implementation of the Risk Treatment Plan and
    report the results to the Head of IT department monthly.

    4. Managing records kept on the basis of this document

    Storage Person responsible Control for record


    Record name Retention time
    location for storage protection
    Only Security
    {Please Write Officer has the right to
    Data is stored
    Risk register What is Security Officer make entries into and
    permanently.
    appropriate} changes to the Risk
    register.
    The created report is The report is kept on
    Risk
    {Please Write automatically stored the {Please Write The report is
    assessment and
    What is by the {Please Write What is appropriate} stored for a period
    treatment
    appropriate} What is appropriate} and exported in read- of 3 years.
    report
    once created. only PDF format.
    Only Security
    Officer has the right to Older versions of
    Statement of {Please Write
    make entries into and the SoA are stored
    Applicability What is Security Officer
    changes to the permanently in
    module appropriate}
    Statement of PDF form.
    Applicability module.
    The created Risk
    Only Security Older versions of
    Treatment Plan is
    {Please Write Officer has the right to the Risk treatment
    Risk Treatment automatically stored
    What is make entries into and plan are stored for
    Plan by the {Please Write
    appropriate} changes to the Risk a period of 3
    What is appropriate}
    Treatment Plan. years.
    once created.

    Only Security Officer can grant other employees access to any of the above-mentioned documents.

    5. Validity and document management


    This document is valid as of January 1, 2022.

    The owner of this document is the head of compliance, who must check and, if necessary, update
    the document at least every 6 months, before the regular review of the existing risk assessment.

    You might also like