WEBVTT 00:00:04.790 --> 00:00:07.839 [Music] 00:00:07.839 --> 00:00:10.639 What is information security risk? 00:00:10.639 --> 00:00:12.719 Information security risk is simply a 00:00:12.719 --> 00:00:14.639 combination of the impact that could 00:00:14.639 --> 00:00:16.880 result from a threat compromising one of 00:00:16.880 --> 00:00:19.600 your important information assets and 00:00:19.600 --> 00:00:22.000 the likelihood of this happening. 00:00:22.000 --> 00:00:25.519 Risk Management In ISO 27001 00:00:25.519 --> 00:00:28.800 ISO 27001 requires that you implement a 00:00:28.800 --> 00:00:31.279 management system to help you manage the 00:00:31.279 --> 00:00:33.440 security of your important information 00:00:33.440 --> 00:00:34.480 assets. 00:00:34.480 --> 00:00:36.480 The backbone of this is formed from the 00:00:36.480 --> 00:00:38.480 need to develop and implement an 00:00:38.480 --> 00:00:40.960 appropriate and effective information 00:00:40.960 --> 00:00:44.640 security risk management methodology. 00:00:44.640 --> 00:00:48.079 ISO 27001 Risk Management 00:00:48.079 --> 00:00:50.079 You should develop and implement a risk 00:00:50.079 --> 00:00:52.000 management methodology which allows you 00:00:52.000 --> 00:00:54.399 to identify your important information 00:00:54.399 --> 00:00:57.120 assets and to determine why they need 00:00:57.120 --> 00:00:58.640 protecting. 00:00:58.640 --> 00:01:00.640 It is important to note here that when 00:01:00.640 --> 00:01:03.199 information security is mentioned, people 00:01:03.199 --> 00:01:04.920 immediately start thinking about 00:01:04.920 --> 00:01:07.280 confidentiality aspects, but the 00:01:07.280 --> 00:01:10.320 availability and integrity aspects also 00:01:10.320 --> 00:01:12.640 need to be taken into consideration 00:01:12.640 --> 00:01:14.799 as these are important components of 00:01:14.799 --> 00:01:17.119 information security. 00:01:17.119 --> 00:01:19.040 Once this has been achieved, your 00:01:19.040 --> 00:01:21.360 methodology needs to be able to identify 00:01:21.360 --> 00:01:23.920 the likelihood of something going wrong 00:01:23.920 --> 00:01:26.080 and what can be done to mitigate this 00:01:26.080 --> 00:01:27.040 risk. 00:01:27.040 --> 00:01:29.840 In a nutshell, it enables you to quantify 00:01:29.840 --> 00:01:31.920 the impact and the likelihood elements 00:01:31.920 --> 00:01:34.640 of information security risk and then go 00:01:34.640 --> 00:01:38.079 on to do something about it. 00:01:38.079 --> 00:01:42.640 ISO 27001 Risk Management Framework 00:01:42.640 --> 00:01:44.720 There are several discrete stages of an 00:01:44.720 --> 00:01:48.720 ISO 27001 risk management methodology. 00:01:48.720 --> 00:01:50.240 First of all, it is important to 00:01:50.240 --> 00:01:52.159 understand the information security 00:01:52.159 --> 00:01:54.720 context of your organization. 00:01:54.720 --> 00:01:56.719 Once this has been achieved, you can 00:01:56.719 --> 00:01:59.200 perform a risk assessment which includes 00:01:59.200 --> 00:02:01.840 the need to identify your risks, 00:02:01.840 --> 00:02:04.880 analyze them, and evaluate them. 00:02:04.880 --> 00:02:06.880 You then need to determine a suitable 00:02:06.880 --> 00:02:08.399 treatment for the risks you have 00:02:08.399 --> 00:02:10.639 assessed and then implement that 00:02:10.639 --> 00:02:11.840 treatment. 00:02:11.840 --> 00:02:14.480 It is vitally important that you do not 00:02:14.480 --> 00:02:17.040 see this as a one-off exercise. 00:02:17.040 --> 00:02:18.879 Your risk management methodology should 00:02:18.879 --> 00:02:21.040 be designed to be iterative. 00:02:21.040 --> 00:02:23.200 This enables you to not only review the 00:02:23.200 --> 00:02:25.280 status of risks you have previously 00:02:25.280 --> 00:02:28.000 identified, taking into consideration any 00:02:28.000 --> 00:02:30.879 potential changes in context, but it also 00:02:30.879 --> 00:02:34.160 enables you to identify new risks. 00:02:34.160 --> 00:02:36.160 The high level stages of a risk 00:02:36.160 --> 00:02:38.239 management methodology, as described 00:02:38.239 --> 00:02:40.160 above, should be thought of as a 00:02:40.160 --> 00:02:42.640 framework that enables risk management 00:02:42.640 --> 00:02:44.800 to be embedded within key processes 00:02:44.800 --> 00:02:46.959 throughout your organization 00:02:46.959 --> 00:02:49.040 so that any identified risks are 00:02:49.040 --> 00:02:50.560 comparable. 00:02:50.560 --> 00:02:54.480 ISO 27001 Risk Management Context 00:02:54.480 --> 00:02:56.239 The first stage of your risk management 00:02:56.239 --> 00:02:58.560 methodology needs to identify what is 00:02:58.560 --> 00:03:00.720 important to you or your organization 00:03:00.720 --> 00:03:02.640 from an information security point of 00:03:02.640 --> 00:03:03.760 view. 00:03:03.760 --> 00:03:06.959 line:1 ISO 27001 requires you to determine the 00:03:06.959 --> 00:03:09.280 line:1 context of your organization. 00:03:09.280 --> 00:03:10.959 Part of which means that you need to be 00:03:10.959 --> 00:03:12.640 able to identify the information 00:03:12.640 --> 00:03:15.200 security related issues that you face 00:03:15.200 --> 00:03:17.680 along with who the internal and external 00:03:17.680 --> 00:03:20.000 interested parties are and what their 00:03:20.000 --> 00:03:22.560 needs and expectations are. 00:03:22.560 --> 00:03:24.799 line:1 It is important to also understand what 00:03:24.799 --> 00:03:27.440 line:1 your risk appetite is at this stage as 00:03:27.440 --> 00:03:30.400 line:1 we will need this information later. 00:03:30.400 --> 00:03:32.239 line:1 Once you have done this, you are able to 00:03:32.239 --> 00:03:34.239 line:1 determine what is important about the 00:03:34.239 --> 00:03:36.319 line:1 different information assets under your 00:03:36.319 --> 00:03:37.680 control. 00:03:37.680 --> 00:03:41.440 ISO 27001 Risk Management What Is Risk 00:03:41.440 --> 00:03:43.519 Appetite? 00:03:43.519 --> 00:03:45.920 Risk appetite is simply the amount and 00:03:45.920 --> 00:03:48.239 type of risk you are willing to accept 00:03:48.239 --> 00:03:49.519 or retain 00:03:49.519 --> 00:03:51.760 in order to allow business operations to 00:03:51.760 --> 00:03:53.120 proceed. 00:03:53.120 --> 00:03:55.120 line:1 This is important because too much 00:03:55.120 --> 00:03:57.280 line:1 security can sometimes compromise your 00:03:57.280 --> 00:04:00.560 line:1 operational viability, whereas too little 00:04:00.560 --> 00:04:02.239 line:1 will reduce the confidence of your 00:04:02.239 --> 00:04:04.000 line:1 stakeholders. 00:04:04.000 --> 00:04:06.080 Some types of organizations are willing 00:04:06.080 --> 00:04:08.720 to accept more risk than others. 00:04:08.720 --> 00:04:10.799 For example, a hedge fund manager is 00:04:10.799 --> 00:04:12.879 likely to take more risk in order to 00:04:12.879 --> 00:04:15.200 make greater profits over a short space 00:04:15.200 --> 00:04:18.160 of time, whereas a pension fund manager 00:04:18.160 --> 00:04:20.639 generally prefers a less risky, steady 00:04:20.639 --> 00:04:22.960 growth approach. 00:04:22.960 --> 00:04:26.880 ISO 27001 Risk Assessment Methodology 00:04:26.880 --> 00:04:28.960 Risk Identification 00:04:28.960 --> 00:04:31.199 Once you have determined the context, you 00:04:31.199 --> 00:04:32.960 can go ahead and conduct a risk 00:04:32.960 --> 00:04:34.160 assessment. 00:04:34.160 --> 00:04:36.000 The first part of a risk assessment is 00:04:36.000 --> 00:04:38.720 to identify the risks that you face. 00:04:38.720 --> 00:04:40.479 This can be broken down into three 00:04:40.479 --> 00:04:42.639 elements. The first element is to 00:04:42.639 --> 00:04:45.360 identify your information assets. An 00:04:45.360 --> 00:04:47.280 information asset is any information 00:04:47.280 --> 00:04:49.120 that has value to you. 00:04:49.120 --> 00:04:50.720 There are several different ways to 00:04:50.720 --> 00:04:53.199 calculate the value of an asset but it 00:04:53.199 --> 00:04:55.120 is important that you not only consider 00:04:55.120 --> 00:04:56.800 the confidentiality needs of the 00:04:56.800 --> 00:04:59.680 information, but also the integrity and 00:04:59.680 --> 00:05:02.160 availability requirements. 00:05:02.160 --> 00:05:03.600 The second element of risk 00:05:03.600 --> 00:05:06.320 identification is threat analysis. You 00:05:06.320 --> 00:05:08.160 need to have a process which enables you 00:05:08.160 --> 00:05:10.400 to identify all of the threats which are 00:05:10.400 --> 00:05:11.919 applicable to the assets you have 00:05:11.919 --> 00:05:13.520 identified. 00:05:13.520 --> 00:05:15.600 If a particular threat is applicable 00:05:15.600 --> 00:05:17.680 then it is also a good idea to think 00:05:17.680 --> 00:05:19.840 about how probable it is that the threat 00:05:19.840 --> 00:05:21.520 will materialize. 00:05:21.520 --> 00:05:23.600 For example, if you use Windows based 00:05:23.600 --> 00:05:25.360 computer systems which are connected 00:05:25.360 --> 00:05:27.840 somehow to the internet, the probability 00:05:27.840 --> 00:05:30.000 of them being affected by a virus is 00:05:30.000 --> 00:05:32.400 probably very high if you do nothing to 00:05:32.400 --> 00:05:33.440 stop it. 00:05:33.440 --> 00:05:35.280 Whereas if you are using an apple mac 00:05:35.280 --> 00:05:37.520 which is never connected to the internet 00:05:37.520 --> 00:05:40.479 the probability is very low 00:05:40.479 --> 00:05:42.720 the third element of risk identification 00:05:42.720 --> 00:05:44.400 is the need to determine if there are 00:05:44.400 --> 00:05:46.160 any vulnerabilities that would allow a 00:05:46.160 --> 00:05:48.320 threat that you have identified to cause 00:05:48.320 --> 00:05:50.639 an impact on your asset 00:05:50.639 --> 00:05:52.479 to carry on with the example we have 00:05:52.479 --> 00:05:54.960 just used if you have an antivirus 00:05:54.960 --> 00:05:57.520 system installed and running on your 00:05:57.520 --> 00:06:00.240 internet connected windows computers you 00:06:00.240 --> 00:06:02.080 are less vulnerable to this particular 00:06:02.080 --> 00:06:04.960 threat than if you didn't 00:06:04.960 --> 00:06:08.880 iso 27001 risk assessment methodology 00:06:08.880 --> 00:06:11.039 risk analysis 00:06:11.039 --> 00:06:13.120 one of the useful aspects of the output 00:06:13.120 --> 00:06:15.440 from an effective risk assessment is the 00:06:15.440 --> 00:06:18.560 ability to prioritize your risks this is 00:06:18.560 --> 00:06:20.639 important as you may not have sufficient 00:06:20.639 --> 00:06:22.960 resources to fully mitigate every risk 00:06:22.960 --> 00:06:24.800 that you identify 00:06:24.800 --> 00:06:26.479 this means that it is important to 00:06:26.479 --> 00:06:28.800 somehow quantify your risks 00:06:28.800 --> 00:06:31.600 to do this we need to know two things 00:06:31.600 --> 00:06:33.520 first how much of an impact would be 00:06:33.520 --> 00:06:36.319 felt if a compromise occurred and second 00:06:36.319 --> 00:06:38.319 what is the likelihood of that threat 00:06:38.319 --> 00:06:39.680 occurring 00:06:39.680 --> 00:06:42.000 one good idea is to use a set of scales 00:06:42.000 --> 00:06:44.720 to record values in these areas 00:06:44.720 --> 00:06:47.520 for example using a scale of one to five 00:06:47.520 --> 00:06:49.680 we could say how impactful it would be 00:06:49.680 --> 00:06:51.840 if the confidentiality of an asset were 00:06:51.840 --> 00:06:53.039 breached 00:06:53.039 --> 00:06:54.960 clearly breaches of confidentiality 00:06:54.960 --> 00:06:56.960 would cause a greater impact for some 00:06:56.960 --> 00:07:00.400 assets for example hr records than 00:07:00.400 --> 00:07:03.520 others like the staff canteen menu 00:07:03.520 --> 00:07:05.680 a second one to five scale could be used 00:07:05.680 --> 00:07:07.680 to determine the likelihood of a breach 00:07:07.680 --> 00:07:09.759 occurring and we would take into 00:07:09.759 --> 00:07:11.120 consideration the threat and 00:07:11.120 --> 00:07:13.280 vulnerability information we spoke about 00:07:13.280 --> 00:07:16.400 earlier in order to do this 00:07:16.400 --> 00:07:20.160 iso 27001 risk assessment methodology 00:07:20.160 --> 00:07:22.160 risk evaluation 00:07:22.160 --> 00:07:24.400 risk evaluation is a relatively simple 00:07:24.400 --> 00:07:26.720 process as it requires you to identify 00:07:26.720 --> 00:07:28.400 whether or not the risk that you have 00:07:28.400 --> 00:07:32.080 identified is above or below appetite 00:07:32.080 --> 00:07:34.000 to do this the first thing we need to do 00:07:34.000 --> 00:07:36.000 is calculate the value of the risk which 00:07:36.000 --> 00:07:38.160 simply means multiplying the impact and 00:07:38.160 --> 00:07:40.880 likelihood values together 00:07:40.880 --> 00:07:42.880 we have a range of possible values which 00:07:42.880 --> 00:07:45.280 result from multiplying the two one to 00:07:45.280 --> 00:07:47.599 five scales together 00:07:47.599 --> 00:07:49.520 the appetite is stated within the 00:07:49.520 --> 00:07:51.680 methodology as a particular value on the 00:07:51.680 --> 00:07:53.680 five by five matrix 00:07:53.680 --> 00:07:56.160 if a particular risk is above this value 00:07:56.160 --> 00:07:58.479 then it is above appetite which means 00:07:58.479 --> 00:08:00.000 that it can then be flanked for 00:08:00.000 --> 00:08:01.120 treatment 00:08:01.120 --> 00:08:03.919 anything below appetite can be accepted 00:08:03.919 --> 00:08:07.120 and monitored for change 00:08:07.120 --> 00:08:11.599 iso 27001 risk treatment methodology 00:08:11.599 --> 00:08:13.520 your risk management methodology needs 00:08:13.520 --> 00:08:15.759 to include a methodology for determining 00:08:15.759 --> 00:08:17.840 the most appropriate treatment for the 00:08:17.840 --> 00:08:20.240 risks that you have identified 00:08:20.240 --> 00:08:22.080 there are four possible treatments to 00:08:22.080 --> 00:08:25.520 choose from these are accept reduce 00:08:25.520 --> 00:08:26.400 transfer 00:08:26.400 --> 00:08:27.840 and avoid 00:08:27.840 --> 00:08:29.759 you may come across different terms used 00:08:29.759 --> 00:08:31.759 for these such as tolerate treat 00:08:31.759 --> 00:08:34.399 transfer and terminate this example is 00:08:34.399 --> 00:08:37.039 known as the forties however they take 00:08:37.039 --> 00:08:39.760 the same approach 00:08:39.760 --> 00:08:43.519 iso 27001 risk treatment methodology 00:08:43.519 --> 00:08:46.640 accept or tolerate 00:08:46.640 --> 00:08:48.399 one of the four treatments provides you 00:08:48.399 --> 00:08:50.959 with the ability to accept risk 00:08:50.959 --> 00:08:52.560 we have already seen that this is 00:08:52.560 --> 00:08:54.240 possible as it is likely that you will 00:08:54.240 --> 00:08:56.320 simply accept risks that are below 00:08:56.320 --> 00:08:57.600 appetite 00:08:57.600 --> 00:08:59.600 however you can also make an informed 00:08:59.600 --> 00:09:01.920 decision to accept risks in certain 00:09:01.920 --> 00:09:04.160 circumstances such as where there is a 00:09:04.160 --> 00:09:06.080 legal requirement preventing you from 00:09:06.080 --> 00:09:08.320 taking the desired action or you have 00:09:08.320 --> 00:09:11.120 insufficient resources to do so 00:09:11.120 --> 00:09:12.880 these cases should be few and far 00:09:12.880 --> 00:09:14.480 between though and should always be 00:09:14.480 --> 00:09:16.560 approved by appropriate management and 00:09:16.560 --> 00:09:19.600 regularly reviewed 00:09:19.600 --> 00:09:23.360 iso 27001 risk treatment methodology 00:09:23.360 --> 00:09:25.760 reduce or treat 00:09:25.760 --> 00:09:27.839 the second treatment option is to reduce 00:09:27.839 --> 00:09:29.360 or treat the risk 00:09:29.360 --> 00:09:31.120 this is done through the implementation 00:09:31.120 --> 00:09:32.560 of controls 00:09:32.560 --> 00:09:35.720 iso 27001 provides you with a list of 00:09:35.720 --> 00:09:38.560 114 best practice controls that can be 00:09:38.560 --> 00:09:40.480 used to mitigate the risks that you have 00:09:40.480 --> 00:09:42.080 identified 00:09:42.080 --> 00:09:43.920 these can be used in combination in 00:09:43.920 --> 00:09:46.080 order to increase their effectiveness 00:09:46.080 --> 00:09:47.920 and of course you can also add controls 00:09:47.920 --> 00:09:50.080 of your own that do not appear in iso 00:09:50.080 --> 00:09:53.040 27001 00:09:53.040 --> 00:09:56.560 iso 27001 risk treatment methodology 00:09:56.560 --> 00:09:58.240 transfer 00:09:58.240 --> 00:10:00.080 the third risk treatment option is to 00:10:00.080 --> 00:10:01.760 transfer the risk 00:10:01.760 --> 00:10:03.839 the transfer option involves the use of 00:10:03.839 --> 00:10:06.000 third parties to help you mitigate your 00:10:06.000 --> 00:10:07.040 risks 00:10:07.040 --> 00:10:08.720 you could do this for example by 00:10:08.720 --> 00:10:10.800 offloading some of the financial impact 00:10:10.800 --> 00:10:13.120 of something going wrong by taking out 00:10:13.120 --> 00:10:15.200 an insurance policy 00:10:15.200 --> 00:10:16.640 another way of doing this is to 00:10:16.640 --> 00:10:18.320 outsource the responsibility for 00:10:18.320 --> 00:10:20.160 implementing and operating technical 00:10:20.160 --> 00:10:22.560 controls to a third party such as an i.t 00:10:22.560 --> 00:10:24.560 managed service provider 00:10:24.560 --> 00:10:26.320 it is important to note here that 00:10:26.320 --> 00:10:28.399 although responsibility for financial 00:10:28.399 --> 00:10:30.560 impact or the management of operational 00:10:30.560 --> 00:10:33.279 controls can be transferred to a third 00:10:33.279 --> 00:10:36.399 party the accountability associated with 00:10:36.399 --> 00:10:38.160 the risk cannot 00:10:38.160 --> 00:10:39.920 in other words you will still be held 00:10:39.920 --> 00:10:42.160 accountable by your stakeholders if 00:10:42.160 --> 00:10:44.880 something goes wrong 00:10:44.880 --> 00:10:48.800 iso 27001 risk treatment methodology 00:10:48.800 --> 00:10:51.519 avoid or terminate 00:10:51.519 --> 00:10:53.440 the fourth risk treatment option is to 00:10:53.440 --> 00:10:55.440 simply avoid the risk 00:10:55.440 --> 00:10:57.200 as we have discussed before there are 00:10:57.200 --> 00:11:00.160 three component parts to risk the impact 00:11:00.160 --> 00:11:02.160 felt by the organization following a 00:11:02.160 --> 00:11:04.320 breach of confidentiality integrity or 00:11:04.320 --> 00:11:07.279 availability for an information asset 00:11:07.279 --> 00:11:09.760 a threat that could cause this impact 00:11:09.760 --> 00:11:11.680 and a vulnerability that would allow it 00:11:11.680 --> 00:11:13.200 to do so 00:11:13.200 --> 00:11:15.920 it is possible to avoid risk completely 00:11:15.920 --> 00:11:18.160 by eliminating one or more of these 00:11:18.160 --> 00:11:19.519 three elements 00:11:19.519 --> 00:11:21.519 however it is unlikely that we would be 00:11:21.519 --> 00:11:24.240 able to completely remove all threats or 00:11:24.240 --> 00:11:26.959 all vulnerabilities which leaves us only 00:11:26.959 --> 00:11:29.440 with one viable option which is to 00:11:29.440 --> 00:11:31.519 remove the impact 00:11:31.519 --> 00:11:33.920 this is done by removing the asset or 00:11:33.920 --> 00:11:35.680 stopping the processes that are 00:11:35.680 --> 00:11:38.560 associated with the identified risk 00:11:38.560 --> 00:11:40.399 for example to avoid the risks 00:11:40.399 --> 00:11:42.480 associated with the taking of credit 00:11:42.480 --> 00:11:43.839 card payments 00:11:43.839 --> 00:11:46.240 remove that process and only deal in 00:11:46.240 --> 00:11:47.279 cash 00:11:47.279 --> 00:11:49.440 there are obvious issues associated with 00:11:49.440 --> 00:11:52.000 taking this approach as it is unlikely 00:11:52.000 --> 00:11:54.079 to be looked upon to favorably by your 00:11:54.079 --> 00:11:56.639 stakeholders especially if the process 00:11:56.639 --> 00:11:58.560 is revenue generating 00:11:58.560 --> 00:12:00.560 this is the reason why this particular 00:12:00.560 --> 00:12:03.120 risk treatment methodology is really 00:12:03.120 --> 00:12:05.120 used 00:12:05.120 --> 00:12:08.839 iso 27001 risk treatment methodology 00:12:08.839 --> 00:12:12.079 controls the most common option chosen 00:12:12.079 --> 00:12:14.880 to treat risks other than maybe accept 00:12:14.880 --> 00:12:17.920 in more mature isms's is to reduce the 00:12:17.920 --> 00:12:19.279 risk 00:12:19.279 --> 00:12:21.600 this is done by implementing controls or 00:12:21.600 --> 00:12:23.839 improving existing ones to address the 00:12:23.839 --> 00:12:25.360 risk 00:12:25.360 --> 00:12:27.360 there are three main operational types 00:12:27.360 --> 00:12:29.279 of control administrative or 00:12:29.279 --> 00:12:31.040 people-based controls 00:12:31.040 --> 00:12:33.360 technical or logical controls and 00:12:33.360 --> 00:12:36.079 physical or environmental controls 00:12:36.079 --> 00:12:37.920 within these three operational types 00:12:37.920 --> 00:12:39.920 there are several different tactical 00:12:39.920 --> 00:12:42.639 uses of controls such as those that are 00:12:42.639 --> 00:12:44.320 designed to prevent a threat from 00:12:44.320 --> 00:12:45.920 materializing 00:12:45.920 --> 00:12:48.160 those that are designed to deter people 00:12:48.160 --> 00:12:50.800 from carrying out an undesired action 00:12:50.800 --> 00:12:52.639 those that detect if a threat has 00:12:52.639 --> 00:12:55.279 materialized or those that enable you to 00:12:55.279 --> 00:12:57.200 recover from a situation after the 00:12:57.200 --> 00:12:58.959 threat has been dealt with 00:12:58.959 --> 00:13:00.959 and there are several others 00:13:00.959 --> 00:13:03.279 operational types and tactical uses of 00:13:03.279 --> 00:13:06.160 controls are not mutually exclusive and 00:13:06.160 --> 00:13:08.560 can and should be used where possible in 00:13:08.560 --> 00:13:11.200 combination to provide a greater depth 00:13:11.200 --> 00:13:13.120 of security 00:13:13.120 --> 00:13:16.800 iso 27001 risk management monitor and 00:13:16.800 --> 00:13:18.160 review 00:13:18.160 --> 00:13:19.920 it is important to ensure that any 00:13:19.920 --> 00:13:21.839 actions you take to address the risks 00:13:21.839 --> 00:13:23.760 you have identified are monitored and 00:13:23.760 --> 00:13:25.519 reviewed to ensure that they have the 00:13:25.519 --> 00:13:27.200 desired effect 00:13:27.200 --> 00:13:29.519 part of the monitor and review process 00:13:29.519 --> 00:13:31.839 should also include a review of context 00:13:31.839 --> 00:13:33.279 before the risk assessment is 00:13:33.279 --> 00:13:34.720 re-performed 00:13:34.720 --> 00:13:36.800 this will allow you to identify and take 00:13:36.800 --> 00:13:38.959 into consideration any changes that may 00:13:38.959 --> 00:13:41.279 have happened either internally within 00:13:41.279 --> 00:13:43.680 your organization or externally such as 00:13:43.680 --> 00:13:46.240 changes in legislation or changes to the 00:13:46.240 --> 00:13:48.880 threat environment thus you are able to 00:13:48.880 --> 00:13:51.040 identify if risks that have previously 00:13:51.040 --> 00:13:53.440 been identified are getting worse or 00:13:53.440 --> 00:13:55.760 hopefully better and you will also be 00:13:55.760 --> 00:13:58.560 able to identify any new risks 00:13:58.560 --> 00:14:02.399 iso 27001 risk assessment frequency 00:14:02.399 --> 00:14:04.160 risk management and therefore risk 00:14:04.160 --> 00:14:06.959 assessment is an iterative process 00:14:06.959 --> 00:14:08.720 and each iteration should take into 00:14:08.720 --> 00:14:10.800 consideration lessons learned from the 00:14:10.800 --> 00:14:13.279 previous iteration and should take into 00:14:13.279 --> 00:14:15.680 consideration any internal or external 00:14:15.680 --> 00:14:18.079 changes thus enabling continual 00:14:18.079 --> 00:14:19.360 improvement 00:14:19.360 --> 00:14:21.279 there is no hard and fast rule on the 00:14:21.279 --> 00:14:23.680 frequency of risk assessment but urm 00:14:23.680 --> 00:14:25.839 recommends that the frequency is no less 00:14:25.839 --> 00:14:27.440 than annual 00:14:27.440 --> 00:14:29.279 this does not necessarily mean that you 00:14:29.279 --> 00:14:31.120 should set aside a certain amount of 00:14:31.120 --> 00:14:33.120 time at a certain point in the year to 00:14:33.120 --> 00:14:35.440 conduct a risk assessment although of 00:14:35.440 --> 00:14:37.920 course you can do this if you wish 00:14:37.920 --> 00:14:40.079 it just means that each time 12 months 00:14:40.079 --> 00:14:42.160 has elapsed you should aim to have 00:14:42.160 --> 00:14:44.480 completed the next iteration 00:14:44.480 --> 00:14:46.639 so you could spread the workload over 00:14:46.639 --> 00:14:48.720 the 12-month period by performing 00:14:48.720 --> 00:14:50.959 smaller risk assessments on a subset of 00:14:50.959 --> 00:14:53.920 areas at more frequent intervals if this 00:14:53.920 --> 00:14:56.160 is more manageable 00:14:56.160 --> 00:14:59.199 iso 27001 risk management 00:14:59.199 --> 00:15:00.959 governance 00:15:00.959 --> 00:15:03.199 throughout the risk management process 00:15:03.199 --> 00:15:05.120 you need to ensure that you communicate 00:15:05.120 --> 00:15:07.839 effectively with any interested parties 00:15:07.839 --> 00:15:10.480 it may be useful to put together a racy 00:15:10.480 --> 00:15:13.440 raci to help you with this as all the 00:15:13.440 --> 00:15:15.360 way through the process different people 00:15:15.360 --> 00:15:17.839 will need to be held responsible some 00:15:17.839 --> 00:15:20.000 will need to be held accountable some 00:15:20.000 --> 00:15:21.839 will need to be consulted in order to 00:15:21.839 --> 00:15:23.440 identify all of the pertinent 00:15:23.440 --> 00:15:25.519 information we need to perform an 00:15:25.519 --> 00:15:27.760 effective risk assessment and some 00:15:27.760 --> 00:15:30.000 people for example the management team 00:15:30.000 --> 00:15:31.759 will need to be informed through 00:15:31.759 --> 00:15:35.680 effective reporting of your risk status 00:15:35.680 --> 00:15:38.959 iso 27001 risk management policy and 00:15:38.959 --> 00:15:40.560 process 00:15:40.560 --> 00:15:42.959 as with all key processes associated 00:15:42.959 --> 00:15:45.759 with an effective isms it is a good idea 00:15:45.759 --> 00:15:48.399 to implement a risk management policy 00:15:48.399 --> 00:15:50.079 this enables you to set the risk 00:15:50.079 --> 00:15:52.720 management and risk assessment criteria 00:15:52.720 --> 00:15:55.199 appetite and roles and responsibilities 00:15:55.199 --> 00:15:57.279 out within a document that everyone is 00:15:57.279 --> 00:15:59.040 required to implement throughout the 00:15:59.040 --> 00:16:00.639 business 00:16:00.639 --> 00:16:02.480 this should of course be underpinned by 00:16:02.480 --> 00:16:05.040 the risk management methodology and any 00:16:05.040 --> 00:16:07.680 required documented processes to enable 00:16:07.680 --> 00:16:09.279 risk management to be embedded 00:16:09.279 --> 00:16:12.079 throughout the organization 00:16:12.079 --> 00:16:15.040 so how can urm help 00:16:15.040 --> 00:16:17.199 urm can offer a range of information 00:16:17.199 --> 00:16:19.680 risk management consultancy and training 00:16:19.680 --> 00:16:22.639 services most notably our accredited 00:16:22.639 --> 00:16:24.720 five-day practitioner certificate in 00:16:24.720 --> 00:16:26.560 information risk management training 00:16:26.560 --> 00:16:27.519 course 00:16:27.519 --> 00:16:30.240 in addition urm has also developed an 00:16:30.240 --> 00:16:32.399 information risk management module a 00:16:32.399 --> 00:16:36.000 brisker 27001 especially to meet the 00:16:36.000 --> 00:16:38.320 risk assessment requirements of iso 00:16:38.320 --> 00:16:40.160 27001 00:16:40.160 --> 00:16:42.720 for more information email us or give us 00:16:42.720 --> 00:16:45.800 a call