Risk Assessment for Information Security Management Systems

As a responsible person for information security within your organisation, whether you are the owner, the CEO, the Chief Training Officer or Information Security Officer you should begin by acquiring a copy of the standard ISO/IEC 27002 code of practice. This code of practice is a risk management standard over-viewing the principals of ensuring confidentiality, integrity and accesiblity of your company data.

Involve your Team
Initiate the first round of discussions with your employees at all levels and perform information security profiling within your organisation.

Define the Scope of your Implementation
The ISMS stands for Information Security Management System. In the beginning it is important to define this scope, whether it is one layer of your company, a department, floor or even a process.

Get Started with a Risk Assessment
Define the risk assessment approach. You may want to take a look at ISO/IEC 27005 a sub section of the 2700x standard series, which is specially focused on risk assessment.

Identify your Information Assets
Define both the tangible and intangible assets within the field of your ISMS. These assets can be people and buildings and everything else in between.

Assess the Risk to the Assets
Perform risk assessment exercise for various assets within the range of your Information Security Management System. This involves identifying relevant threats towards the assets, identification of vulnerabilities of the asset towards each threat, impact of threat and the probability of a threat becoming a reality.

Design a Risk Management Strategy
The relationship between an Asset and a Threat is considered a Risk. Suggest controls from ISO/IEC 27001 that Hedge against the Identified Risks. Guidelines on the implementation of these controls are in ISO/IEC 27002. You may need to define your own specific controls.

Obtain the results of the Risk Assessment required by the standard ISO/IEC 27001
The most important report is the SOA report or the Statement of Applicability, which should display the information security risk within the scope.

Training and Awareness
Develop a customised and focused information security-training program to build awareness of information security for everybody in your company.

Get ready for Business Continuity planning
The Risk Assessment is only one part of three steps required for a full implementation of ISO/IEC 27001. The other two are Business Continuity planning and development of Organisational Manual such as procedures, processes and policies.

This information was provided by Svana Helen Bjornsdottir, ISO/IEC 27001 Lead Auditor and CEO of Stiki Information Security.

To find out in more detail about implementing risk management visit www.riskmanagementstudio.com

Russell

Recent Posts

Base Station RF Power Amplifier Market to Experience Significant Growth Amid 5G Expansion and Rising Mobile Device Adoption

October 24, 2024 – Metastat Insights – The global Base Station RF Power Amplifier market…

4 weeks ago

World Leaders in Aeronautics, Defence, and Aerospace to Attend the Marrakech Air Show 2024

London, 23rd October 2024 – Under the High Patronage of His Majesty King Mohammed VI,…

4 weeks ago

Sunshine State Dentistry of Boynton Beach Launches New Website to Provide Patients with a Seamless Digital Experience

Boynton Beach, FL – September 10, 2024 – Sunshine State Dentistry of Boynton Beach, led…

2 months ago

Metastat Insights Projects Significant Growth in Tattoo Supplies Market by 2031

Sep 10, 2024 – Dallas, TX – A new report by Metastat Insights reveals that…

2 months ago

RIMC Celebrates 20th Anniversary, Bringing Global Digital Marketing Insights to Iceland

Reykjavik, Iceland – September 2024 – The Reykjavik Internet Marketing Conference (RIMC), Iceland's longest-running digital…

3 months ago

The Inspiring Journey of Sleipnir Tours

Hafnarfjörður, Iceland, July 16, 2024 – One evening in Iceland, Ástvaldur, the founder of Sleipnir…

4 months ago