[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:04.79,0:00:07.84,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:00:07.84,0:00:10.64,Default,,0000,0000,0000,,What is information security risk?
Dialogue: 0,0:00:10.64,0:00:12.72,Default,,0000,0000,0000,,Information security risk is simply a
Dialogue: 0,0:00:12.72,0:00:14.64,Default,,0000,0000,0000,,combination of the impact that could
Dialogue: 0,0:00:14.64,0:00:16.88,Default,,0000,0000,0000,,result from a threat compromising one of
Dialogue: 0,0:00:16.88,0:00:19.60,Default,,0000,0000,0000,,your important information assets and
Dialogue: 0,0:00:19.60,0:00:22.00,Default,,0000,0000,0000,,the likelihood of this happening.
Dialogue: 0,0:00:22.00,0:00:25.52,Default,,0000,0000,0000,,Risk Management In ISO 27001
Dialogue: 0,0:00:25.52,0:00:28.80,Default,,0000,0000,0000,,ISO 27001 requires that you implement a
Dialogue: 0,0:00:28.80,0:00:31.28,Default,,0000,0000,0000,,management system to help you manage the
Dialogue: 0,0:00:31.28,0:00:33.44,Default,,0000,0000,0000,,security of your important information
Dialogue: 0,0:00:33.44,0:00:34.48,Default,,0000,0000,0000,,assets.
Dialogue: 0,0:00:34.48,0:00:36.48,Default,,0000,0000,0000,,The backbone of this is formed from the
Dialogue: 0,0:00:36.48,0:00:38.48,Default,,0000,0000,0000,,need to develop and implement an
Dialogue: 0,0:00:38.48,0:00:40.96,Default,,0000,0000,0000,,appropriate and effective information
Dialogue: 0,0:00:40.96,0:00:44.64,Default,,0000,0000,0000,,security risk management methodology.
Dialogue: 0,0:00:44.64,0:00:48.08,Default,,0000,0000,0000,,ISO 27001 Risk Management
Dialogue: 0,0:00:48.08,0:00:50.08,Default,,0000,0000,0000,,You should develop and implement a risk
Dialogue: 0,0:00:50.08,0:00:52.00,Default,,0000,0000,0000,,management methodology which allows you
Dialogue: 0,0:00:52.00,0:00:54.40,Default,,0000,0000,0000,,to identify your important information
Dialogue: 0,0:00:54.40,0:00:57.12,Default,,0000,0000,0000,,assets and to determine why they need
Dialogue: 0,0:00:57.12,0:00:58.64,Default,,0000,0000,0000,,protecting.
Dialogue: 0,0:00:58.64,0:01:00.64,Default,,0000,0000,0000,,It is important to note here that when
Dialogue: 0,0:01:00.64,0:01:03.20,Default,,0000,0000,0000,,information security is mentioned, people
Dialogue: 0,0:01:03.20,0:01:04.92,Default,,0000,0000,0000,,immediately start thinking about
Dialogue: 0,0:01:04.92,0:01:07.28,Default,,0000,0000,0000,,confidentiality aspects, but the
Dialogue: 0,0:01:07.28,0:01:10.32,Default,,0000,0000,0000,,availability and integrity aspects also
Dialogue: 0,0:01:10.32,0:01:12.64,Default,,0000,0000,0000,,need to be taken into consideration
Dialogue: 0,0:01:12.64,0:01:14.80,Default,,0000,0000,0000,,as these are important components of
Dialogue: 0,0:01:14.80,0:01:17.12,Default,,0000,0000,0000,,information security.
Dialogue: 0,0:01:17.12,0:01:19.04,Default,,0000,0000,0000,,Once this has been achieved, your
Dialogue: 0,0:01:19.04,0:01:21.36,Default,,0000,0000,0000,,methodology needs to be able to identify
Dialogue: 0,0:01:21.36,0:01:23.92,Default,,0000,0000,0000,,the likelihood of something going wrong
Dialogue: 0,0:01:23.92,0:01:26.08,Default,,0000,0000,0000,,and what can be done to mitigate this
Dialogue: 0,0:01:26.08,0:01:27.04,Default,,0000,0000,0000,,risk.
Dialogue: 0,0:01:27.04,0:01:29.84,Default,,0000,0000,0000,,In a nutshell, it enables you to quantify
Dialogue: 0,0:01:29.84,0:01:31.92,Default,,0000,0000,0000,,the impact and the likelihood elements
Dialogue: 0,0:01:31.92,0:01:34.64,Default,,0000,0000,0000,,of information security risk and then go
Dialogue: 0,0:01:34.64,0:01:38.08,Default,,0000,0000,0000,,on to do something about it.
Dialogue: 0,0:01:38.08,0:01:42.64,Default,,0000,0000,0000,,ISO 27001 Risk Management Framework
Dialogue: 0,0:01:42.64,0:01:44.72,Default,,0000,0000,0000,,There are several discrete stages of an
Dialogue: 0,0:01:44.72,0:01:48.72,Default,,0000,0000,0000,,ISO 27001 risk management methodology.
Dialogue: 0,0:01:48.72,0:01:50.24,Default,,0000,0000,0000,,First of all, it is important to
Dialogue: 0,0:01:50.24,0:01:52.16,Default,,0000,0000,0000,,understand the information security
Dialogue: 0,0:01:52.16,0:01:54.72,Default,,0000,0000,0000,,context of your organization.
Dialogue: 0,0:01:54.72,0:01:56.72,Default,,0000,0000,0000,,Once this has been achieved, you can
Dialogue: 0,0:01:56.72,0:01:59.20,Default,,0000,0000,0000,,perform a risk assessment which includes
Dialogue: 0,0:01:59.20,0:02:01.84,Default,,0000,0000,0000,,the need to identify your risks,
Dialogue: 0,0:02:01.84,0:02:04.88,Default,,0000,0000,0000,,analyze them, and evaluate them.
Dialogue: 0,0:02:04.88,0:02:06.88,Default,,0000,0000,0000,,You then need to determine a suitable
Dialogue: 0,0:02:06.88,0:02:08.40,Default,,0000,0000,0000,,treatment for the risks you have
Dialogue: 0,0:02:08.40,0:02:10.64,Default,,0000,0000,0000,,assessed and then implement that
Dialogue: 0,0:02:10.64,0:02:11.84,Default,,0000,0000,0000,,treatment.
Dialogue: 0,0:02:11.84,0:02:14.48,Default,,0000,0000,0000,,It is vitally important that you do not
Dialogue: 0,0:02:14.48,0:02:17.04,Default,,0000,0000,0000,,see this as a one-off exercise.
Dialogue: 0,0:02:17.04,0:02:18.88,Default,,0000,0000,0000,,Your risk management methodology should
Dialogue: 0,0:02:18.88,0:02:21.04,Default,,0000,0000,0000,,be designed to be iterative.
Dialogue: 0,0:02:21.04,0:02:23.20,Default,,0000,0000,0000,,This enables you to not only review the
Dialogue: 0,0:02:23.20,0:02:25.28,Default,,0000,0000,0000,,status of risks you have previously
Dialogue: 0,0:02:25.28,0:02:28.00,Default,,0000,0000,0000,,identified, taking into consideration any
Dialogue: 0,0:02:28.00,0:02:30.88,Default,,0000,0000,0000,,potential changes in context, but it also
Dialogue: 0,0:02:30.88,0:02:34.16,Default,,0000,0000,0000,,enables you to identify new risks.
Dialogue: 0,0:02:34.16,0:02:36.16,Default,,0000,0000,0000,,The high level stages of a risk
Dialogue: 0,0:02:36.16,0:02:38.24,Default,,0000,0000,0000,,management methodology, as described
Dialogue: 0,0:02:38.24,0:02:40.16,Default,,0000,0000,0000,,above, should be thought of as a
Dialogue: 0,0:02:40.16,0:02:42.64,Default,,0000,0000,0000,,framework that enables risk management
Dialogue: 0,0:02:42.64,0:02:44.80,Default,,0000,0000,0000,,to be embedded within key processes
Dialogue: 0,0:02:44.80,0:02:46.96,Default,,0000,0000,0000,,throughout your organization
Dialogue: 0,0:02:46.96,0:02:49.04,Default,,0000,0000,0000,,so that any identified risks are
Dialogue: 0,0:02:49.04,0:02:50.56,Default,,0000,0000,0000,,comparable.
Dialogue: 0,0:02:50.56,0:02:54.48,Default,,0000,0000,0000,,ISO 27001 Risk Management Context
Dialogue: 0,0:02:54.48,0:02:56.24,Default,,0000,0000,0000,,The first stage of your risk management
Dialogue: 0,0:02:56.24,0:02:58.56,Default,,0000,0000,0000,,methodology needs to identify what is
Dialogue: 0,0:02:58.56,0:03:00.72,Default,,0000,0000,0000,,important to you or your organization
Dialogue: 0,0:03:00.72,0:03:02.64,Default,,0000,0000,0000,,from an information security point of
Dialogue: 0,0:03:02.64,0:03:03.76,Default,,0000,0000,0000,,view.
Dialogue: 0,0:03:03.76,0:03:06.96,Default,,0000,0000,0000,,ISO 27001 requires you to determine the
Dialogue: 0,0:03:06.96,0:03:09.28,Default,,0000,0000,0000,,context of your organization.
Dialogue: 0,0:03:09.28,0:03:10.96,Default,,0000,0000,0000,,Part of which means that you need to be
Dialogue: 0,0:03:10.96,0:03:12.64,Default,,0000,0000,0000,,able to identify the information
Dialogue: 0,0:03:12.64,0:03:15.20,Default,,0000,0000,0000,,security related issues that you face
Dialogue: 0,0:03:15.20,0:03:17.68,Default,,0000,0000,0000,,along with who the internal and external
Dialogue: 0,0:03:17.68,0:03:20.00,Default,,0000,0000,0000,,interested parties are and what their
Dialogue: 0,0:03:20.00,0:03:22.56,Default,,0000,0000,0000,,needs and expectations are.
Dialogue: 0,0:03:22.56,0:03:24.80,Default,,0000,0000,0000,,It is important to also understand what
Dialogue: 0,0:03:24.80,0:03:27.44,Default,,0000,0000,0000,,your risk appetite is at this stage as
Dialogue: 0,0:03:27.44,0:03:30.40,Default,,0000,0000,0000,,we will need this information later.
Dialogue: 0,0:03:30.40,0:03:32.24,Default,,0000,0000,0000,,Once you have done this, you are able to
Dialogue: 0,0:03:32.24,0:03:34.24,Default,,0000,0000,0000,,determine what is important about the
Dialogue: 0,0:03:34.24,0:03:36.32,Default,,0000,0000,0000,,different information assets under your
Dialogue: 0,0:03:36.32,0:03:37.68,Default,,0000,0000,0000,,control.
Dialogue: 0,0:03:37.68,0:03:41.44,Default,,0000,0000,0000,,ISO 27001 Risk Management What Is Risk
Dialogue: 0,0:03:41.44,0:03:43.52,Default,,0000,0000,0000,,Appetite?
Dialogue: 0,0:03:43.52,0:03:45.92,Default,,0000,0000,0000,,Risk appetite is simply the amount and
Dialogue: 0,0:03:45.92,0:03:48.24,Default,,0000,0000,0000,,type of risk you are willing to accept
Dialogue: 0,0:03:48.24,0:03:49.52,Default,,0000,0000,0000,,or retain
Dialogue: 0,0:03:49.52,0:03:51.76,Default,,0000,0000,0000,,in order to allow business operations to
Dialogue: 0,0:03:51.76,0:03:53.12,Default,,0000,0000,0000,,proceed.
Dialogue: 0,0:03:53.12,0:03:55.12,Default,,0000,0000,0000,,This is important because too much
Dialogue: 0,0:03:55.12,0:03:57.28,Default,,0000,0000,0000,,security can sometimes compromise your
Dialogue: 0,0:03:57.28,0:04:00.56,Default,,0000,0000,0000,,operational viability, whereas too little
Dialogue: 0,0:04:00.56,0:04:02.24,Default,,0000,0000,0000,,will reduce the confidence of your
Dialogue: 0,0:04:02.24,0:04:04.00,Default,,0000,0000,0000,,stakeholders.
Dialogue: 0,0:04:04.00,0:04:06.08,Default,,0000,0000,0000,,Some types of organizations are willing
Dialogue: 0,0:04:06.08,0:04:08.72,Default,,0000,0000,0000,,to accept more risk than others.
Dialogue: 0,0:04:08.72,0:04:10.80,Default,,0000,0000,0000,,For example, a hedge fund manager is
Dialogue: 0,0:04:10.80,0:04:12.88,Default,,0000,0000,0000,,likely to take more risk in order to
Dialogue: 0,0:04:12.88,0:04:15.20,Default,,0000,0000,0000,,make greater profits over a short space
Dialogue: 0,0:04:15.20,0:04:18.16,Default,,0000,0000,0000,,of time, whereas a pension fund manager
Dialogue: 0,0:04:18.16,0:04:20.64,Default,,0000,0000,0000,,generally prefers a less risky, steady
Dialogue: 0,0:04:20.64,0:04:22.96,Default,,0000,0000,0000,,growth approach.
Dialogue: 0,0:04:22.96,0:04:26.88,Default,,0000,0000,0000,,ISO 27001 Risk Assessment Methodology
Dialogue: 0,0:04:26.88,0:04:28.96,Default,,0000,0000,0000,,Risk Identification
Dialogue: 0,0:04:28.96,0:04:31.20,Default,,0000,0000,0000,,Once you have determined the context, you
Dialogue: 0,0:04:31.20,0:04:32.96,Default,,0000,0000,0000,,can go ahead and conduct a risk
Dialogue: 0,0:04:32.96,0:04:34.16,Default,,0000,0000,0000,,assessment.
Dialogue: 0,0:04:34.16,0:04:36.00,Default,,0000,0000,0000,,The first part of a risk assessment is
Dialogue: 0,0:04:36.00,0:04:38.72,Default,,0000,0000,0000,,to identify the risks that you face.
Dialogue: 0,0:04:38.72,0:04:40.48,Default,,0000,0000,0000,,This can be broken down into three
Dialogue: 0,0:04:40.48,0:04:42.64,Default,,0000,0000,0000,,elements. The first element is to
Dialogue: 0,0:04:42.64,0:04:45.36,Default,,0000,0000,0000,,identify your information assets. An
Dialogue: 0,0:04:45.36,0:04:47.28,Default,,0000,0000,0000,,information asset is any information
Dialogue: 0,0:04:47.28,0:04:49.12,Default,,0000,0000,0000,,that has value to you.
Dialogue: 0,0:04:49.12,0:04:50.72,Default,,0000,0000,0000,,There are several different ways to
Dialogue: 0,0:04:50.72,0:04:53.20,Default,,0000,0000,0000,,calculate the value of an asset but it
Dialogue: 0,0:04:53.20,0:04:55.12,Default,,0000,0000,0000,,is important that you not only consider
Dialogue: 0,0:04:55.12,0:04:56.80,Default,,0000,0000,0000,,the confidentiality needs of the
Dialogue: 0,0:04:56.80,0:04:59.68,Default,,0000,0000,0000,,information, but also the integrity and
Dialogue: 0,0:04:59.68,0:05:02.16,Default,,0000,0000,0000,,availability requirements.
Dialogue: 0,0:05:02.16,0:05:03.60,Default,,0000,0000,0000,,The second element of risk
Dialogue: 0,0:05:03.60,0:05:06.32,Default,,0000,0000,0000,,identification is threat analysis. You
Dialogue: 0,0:05:06.32,0:05:08.16,Default,,0000,0000,0000,,need to have a process which enables you
Dialogue: 0,0:05:08.16,0:05:10.40,Default,,0000,0000,0000,,to identify all of the threats which are
Dialogue: 0,0:05:10.40,0:05:11.92,Default,,0000,0000,0000,,applicable to the assets you have
Dialogue: 0,0:05:11.92,0:05:13.52,Default,,0000,0000,0000,,identified.
Dialogue: 0,0:05:13.52,0:05:15.60,Default,,0000,0000,0000,,If a particular threat is applicable
Dialogue: 0,0:05:15.60,0:05:17.68,Default,,0000,0000,0000,,then it is also a good idea to think
Dialogue: 0,0:05:17.68,0:05:19.84,Default,,0000,0000,0000,,about how probable it is that the threat
Dialogue: 0,0:05:19.84,0:05:21.52,Default,,0000,0000,0000,,will materialize.
Dialogue: 0,0:05:21.52,0:05:23.60,Default,,0000,0000,0000,,For example, if you use Windows based
Dialogue: 0,0:05:23.60,0:05:25.36,Default,,0000,0000,0000,,computer systems which are connected
Dialogue: 0,0:05:25.36,0:05:27.84,Default,,0000,0000,0000,,somehow to the internet, the probability
Dialogue: 0,0:05:27.84,0:05:30.00,Default,,0000,0000,0000,,of them being affected by a virus is
Dialogue: 0,0:05:30.00,0:05:32.40,Default,,0000,0000,0000,,probably very high if you do nothing to
Dialogue: 0,0:05:32.40,0:05:33.44,Default,,0000,0000,0000,,stop it.
Dialogue: 0,0:05:33.44,0:05:35.28,Default,,0000,0000,0000,,Whereas if you are using an apple mac
Dialogue: 0,0:05:35.28,0:05:37.52,Default,,0000,0000,0000,,which is never connected to the internet,
Dialogue: 0,0:05:37.52,0:05:40.48,Default,,0000,0000,0000,,the probability is very low.
Dialogue: 0,0:05:40.48,0:05:42.72,Default,,0000,0000,0000,,The third element of risk identification
Dialogue: 0,0:05:42.72,0:05:44.40,Default,,0000,0000,0000,,is the need to determine if there are
Dialogue: 0,0:05:44.40,0:05:46.16,Default,,0000,0000,0000,,any vulnerabilities that would allow a
Dialogue: 0,0:05:46.16,0:05:48.32,Default,,0000,0000,0000,,threat that you have identified to cause
Dialogue: 0,0:05:48.32,0:05:50.64,Default,,0000,0000,0000,,an impact on your asset.
Dialogue: 0,0:05:50.64,0:05:52.48,Default,,0000,0000,0000,,To carry on with the example we have
Dialogue: 0,0:05:52.48,0:05:54.96,Default,,0000,0000,0000,,just used, if you have an antivirus
Dialogue: 0,0:05:54.96,0:05:57.52,Default,,0000,0000,0000,,system installed and running on your
Dialogue: 0,0:05:57.52,0:06:00.24,Default,,0000,0000,0000,,Internet-connected windows computers, you
Dialogue: 0,0:06:00.24,0:06:02.08,Default,,0000,0000,0000,,are less vulnerable to this particular
Dialogue: 0,0:06:02.08,0:06:04.96,Default,,0000,0000,0000,,threat than if you didn't.
Dialogue: 0,0:06:04.96,0:06:08.88,Default,,0000,0000,0000,,ISO 27001 Risk Assessment Methodology
Dialogue: 0,0:06:08.88,0:06:11.04,Default,,0000,0000,0000,,Risk Analysis
Dialogue: 0,0:06:11.04,0:06:13.12,Default,,0000,0000,0000,,One of the useful aspects of the output
Dialogue: 0,0:06:13.12,0:06:15.44,Default,,0000,0000,0000,,from an effective risk assessment is the
Dialogue: 0,0:06:15.44,0:06:18.56,Default,,0000,0000,0000,,ability to prioritize your risks. This is
Dialogue: 0,0:06:18.56,0:06:20.64,Default,,0000,0000,0000,,important as you may not have sufficient
Dialogue: 0,0:06:20.64,0:06:22.96,Default,,0000,0000,0000,,resources to fully mitigate every risk
Dialogue: 0,0:06:22.96,0:06:24.80,Default,,0000,0000,0000,,that you identify.
Dialogue: 0,0:06:24.80,0:06:26.48,Default,,0000,0000,0000,,This means that it is important to
Dialogue: 0,0:06:26.48,0:06:28.80,Default,,0000,0000,0000,,somehow quantify your risks.
Dialogue: 0,0:06:28.80,0:06:31.60,Default,,0000,0000,0000,,To do this, we need to know two things.
Dialogue: 0,0:06:31.60,0:06:33.52,Default,,0000,0000,0000,,First, how much of an impact would be
Dialogue: 0,0:06:33.52,0:06:36.32,Default,,0000,0000,0000,,felt if a compromise occurred? And second,
Dialogue: 0,0:06:36.32,0:06:38.32,Default,,0000,0000,0000,,what is the likelihood of that threat
Dialogue: 0,0:06:38.32,0:06:39.68,Default,,0000,0000,0000,,occurring?
Dialogue: 0,0:06:39.68,0:06:42.00,Default,,0000,0000,0000,,One good idea is to use a set of scales
Dialogue: 0,0:06:42.00,0:06:44.72,Default,,0000,0000,0000,,to record values in these areas.
Dialogue: 0,0:06:44.72,0:06:47.52,Default,,0000,0000,0000,,For example, using a scale of one to five,
Dialogue: 0,0:06:47.52,0:06:49.68,Default,,0000,0000,0000,,we could say how impactful it would be
Dialogue: 0,0:06:49.68,0:06:51.84,Default,,0000,0000,0000,,if the confidentiality of an asset were
Dialogue: 0,0:06:51.84,0:06:53.04,Default,,0000,0000,0000,,breached.
Dialogue: 0,0:06:53.04,0:06:54.96,Default,,0000,0000,0000,,Clearly breaches of confidentiality
Dialogue: 0,0:06:54.96,0:06:56.96,Default,,0000,0000,0000,,would cause a greater impact for some
Dialogue: 0,0:06:56.96,0:07:00.40,Default,,0000,0000,0000,,assets, for example, hr records, than
Dialogue: 0,0:07:00.40,0:07:03.52,Default,,0000,0000,0000,,others like the staff canteen menu.
Dialogue: 0,0:07:03.52,0:07:05.68,Default,,0000,0000,0000,,A second one to five scale could be used
Dialogue: 0,0:07:05.68,0:07:07.68,Default,,0000,0000,0000,,to determine the likelihood of a breach
Dialogue: 0,0:07:07.68,0:07:09.76,Default,,0000,0000,0000,,occurring and we would take into
Dialogue: 0,0:07:09.76,0:07:11.12,Default,,0000,0000,0000,,consideration the threat and
Dialogue: 0,0:07:11.12,0:07:13.28,Default,,0000,0000,0000,,vulnerability information we spoke about
Dialogue: 0,0:07:13.28,0:07:16.40,Default,,0000,0000,0000,,earlier in order to do this.
Dialogue: 0,0:07:16.40,0:07:20.16,Default,,0000,0000,0000,,ISO 27001 Risk Assessment Methodology
Dialogue: 0,0:07:20.16,0:07:22.16,Default,,0000,0000,0000,,Risk Evaluation
Dialogue: 0,0:07:22.16,0:07:24.40,Default,,0000,0000,0000,,Risk evaluation is a relatively simple
Dialogue: 0,0:07:24.40,0:07:26.72,Default,,0000,0000,0000,,process as it requires you to identify
Dialogue: 0,0:07:26.72,0:07:28.40,Default,,0000,0000,0000,,whether or not the risk that you have
Dialogue: 0,0:07:28.40,0:07:32.08,Default,,0000,0000,0000,,identified is above or below appetite.
Dialogue: 0,0:07:32.08,0:07:34.00,Default,,0000,0000,0000,,To do this, the first thing we need to do
Dialogue: 0,0:07:34.00,0:07:36.00,Default,,0000,0000,0000,,is calculate the value of the risk which
Dialogue: 0,0:07:36.00,0:07:38.16,Default,,0000,0000,0000,,simply means multiplying the impact and
Dialogue: 0,0:07:38.16,0:07:40.88,Default,,0000,0000,0000,,likelihood values together.
Dialogue: 0,0:07:40.88,0:07:42.88,Default,,0000,0000,0000,,We have a range of possible values which
Dialogue: 0,0:07:42.88,0:07:45.28,Default,,0000,0000,0000,,result from multiplying the two one to
Dialogue: 0,0:07:45.28,0:07:47.60,Default,,0000,0000,0000,,five scales together.
Dialogue: 0,0:07:47.60,0:07:49.52,Default,,0000,0000,0000,,The appetite is stated within the
Dialogue: 0,0:07:49.52,0:07:51.68,Default,,0000,0000,0000,,methodology as a particular value on the
Dialogue: 0,0:07:51.68,0:07:53.68,Default,,0000,0000,0000,,five by five matrix.
Dialogue: 0,0:07:53.68,0:07:56.16,Default,,0000,0000,0000,,If a particular risk is above this value,
Dialogue: 0,0:07:56.16,0:07:58.48,Default,,0000,0000,0000,,then it is above appetite which means
Dialogue: 0,0:07:58.48,0:08:00.00,Default,,0000,0000,0000,,that it can then be flagged for
Dialogue: 0,0:08:00.00,0:08:01.12,Default,,0000,0000,0000,,treatment.
Dialogue: 0,0:08:01.12,0:08:03.92,Default,,0000,0000,0000,,Anything below appetite can be accepted
Dialogue: 0,0:08:03.92,0:08:07.12,Default,,0000,0000,0000,,and monitored for change.
Dialogue: 0,0:08:07.12,0:08:11.60,Default,,0000,0000,0000,,ISO 27001 Risk Treatment Methodology
Dialogue: 0,0:08:11.60,0:08:13.52,Default,,0000,0000,0000,,Your risk management methodology needs
Dialogue: 0,0:08:13.52,0:08:15.76,Default,,0000,0000,0000,,to include a methodology for determining
Dialogue: 0,0:08:15.76,0:08:17.84,Default,,0000,0000,0000,,the most appropriate treatment for the
Dialogue: 0,0:08:17.84,0:08:20.24,Default,,0000,0000,0000,,risks that you have identified.
Dialogue: 0,0:08:20.24,0:08:22.08,Default,,0000,0000,0000,,There are four possible treatments to
Dialogue: 0,0:08:22.08,0:08:25.52,Default,,0000,0000,0000,,choose from. These are accept, reduce,
Dialogue: 0,0:08:25.52,0:08:26.40,Default,,0000,0000,0000,,transfer,
Dialogue: 0,0:08:26.40,0:08:27.84,Default,,0000,0000,0000,,and avoid.
Dialogue: 0,0:08:27.84,0:08:29.76,Default,,0000,0000,0000,,You may come across different terms used
Dialogue: 0,0:08:29.76,0:08:31.76,Default,,0000,0000,0000,,for these such as tolerate, treat,
Dialogue: 0,0:08:31.76,0:08:34.40,Default,,0000,0000,0000,,transfer, and terminate. This example is
Dialogue: 0,0:08:34.40,0:08:37.04,Default,,0000,0000,0000,,known as the 4Ts', however they take
Dialogue: 0,0:08:37.04,0:08:39.76,Default,,0000,0000,0000,,the same approach.
Dialogue: 0,0:08:39.76,0:08:43.52,Default,,0000,0000,0000,,ISO 27001 Risk Treatment Methodology
Dialogue: 0,0:08:43.52,0:08:46.64,Default,,0000,0000,0000,,Accept or Tolerate
Dialogue: 0,0:08:46.64,0:08:48.40,Default,,0000,0000,0000,,One of the four treatments provides you
Dialogue: 0,0:08:48.40,0:08:50.96,Default,,0000,0000,0000,,with the ability to accept risk.
Dialogue: 0,0:08:50.96,0:08:52.56,Default,,0000,0000,0000,,We have already seen that this is
Dialogue: 0,0:08:52.56,0:08:54.24,Default,,0000,0000,0000,,possible as it is likely that you will
Dialogue: 0,0:08:54.24,0:08:56.32,Default,,0000,0000,0000,,simply accept risks that are below
Dialogue: 0,0:08:56.32,0:08:57.60,Default,,0000,0000,0000,,appetite.
Dialogue: 0,0:08:57.60,0:08:59.60,Default,,0000,0000,0000,,However, you can also make an informed
Dialogue: 0,0:08:59.60,0:09:01.92,Default,,0000,0000,0000,,decision to accept risks in certain
Dialogue: 0,0:09:01.92,0:09:04.16,Default,,0000,0000,0000,,circumstances, such as where there is a
Dialogue: 0,0:09:04.16,0:09:06.08,Default,,0000,0000,0000,,legal requirement preventing you from
Dialogue: 0,0:09:06.08,0:09:08.32,Default,,0000,0000,0000,,taking the desired action or you have
Dialogue: 0,0:09:08.32,0:09:11.12,Default,,0000,0000,0000,,insufficient resources to do so.
Dialogue: 0,0:09:11.12,0:09:12.88,Default,,0000,0000,0000,,These cases should be few and far
Dialogue: 0,0:09:12.88,0:09:14.48,Default,,0000,0000,0000,,between though and should always be
Dialogue: 0,0:09:14.48,0:09:16.56,Default,,0000,0000,0000,,approved by appropriate management and
Dialogue: 0,0:09:16.56,0:09:19.60,Default,,0000,0000,0000,,regularly reviewed.
Dialogue: 0,0:09:19.60,0:09:23.36,Default,,0000,0000,0000,,ISO 27001 Risk Treatment Methodology
Dialogue: 0,0:09:23.36,0:09:25.76,Default,,0000,0000,0000,,Reduce or Treat
Dialogue: 0,0:09:25.76,0:09:27.84,Default,,0000,0000,0000,,The second treatment option is to reduce
Dialogue: 0,0:09:27.84,0:09:29.36,Default,,0000,0000,0000,,or treat the risk.
Dialogue: 0,0:09:29.36,0:09:31.12,Default,,0000,0000,0000,,This is done through the implementation
Dialogue: 0,0:09:31.12,0:09:32.56,Default,,0000,0000,0000,,of controls.
Dialogue: 0,0:09:32.56,0:09:35.72,Default,,0000,0000,0000,,ISO 27001 provides you with a list of
Dialogue: 0,0:09:35.72,0:09:38.56,Default,,0000,0000,0000,,114 best practice controls that can be
Dialogue: 0,0:09:38.56,0:09:40.48,Default,,0000,0000,0000,,used to mitigate the risks that you have
Dialogue: 0,0:09:40.48,0:09:42.08,Default,,0000,0000,0000,,identified.
Dialogue: 0,0:09:42.08,0:09:43.92,Default,,0000,0000,0000,,These can be used in combination in
Dialogue: 0,0:09:43.92,0:09:46.08,Default,,0000,0000,0000,,order to increase their effectiveness
Dialogue: 0,0:09:46.08,0:09:47.92,Default,,0000,0000,0000,,and of course you can also add controls
Dialogue: 0,0:09:47.92,0:09:50.08,Default,,0000,0000,0000,,of your own that do not appear in ISO
Dialogue: 0,0:09:50.08,0:09:53.04,Default,,0000,0000,0000,,27001.
Dialogue: 0,0:09:53.04,0:09:56.56,Default,,0000,0000,0000,,ISO 27001 Risk Treatment Methodology
Dialogue: 0,0:09:56.56,0:09:58.24,Default,,0000,0000,0000,,Transfer
Dialogue: 0,0:09:58.24,0:10:00.08,Default,,0000,0000,0000,,The third risk treatment option is to
Dialogue: 0,0:10:00.08,0:10:01.76,Default,,0000,0000,0000,,transfer the risk.
Dialogue: 0,0:10:01.76,0:10:03.84,Default,,0000,0000,0000,,The transfer option involves the use of
Dialogue: 0,0:10:03.84,0:10:06.00,Default,,0000,0000,0000,,third parties to help you mitigate your
Dialogue: 0,0:10:06.00,0:10:07.04,Default,,0000,0000,0000,,risks.
Dialogue: 0,0:10:07.04,0:10:08.72,Default,,0000,0000,0000,,You could do this, for example, by
Dialogue: 0,0:10:08.72,0:10:10.80,Default,,0000,0000,0000,,offloading some of the financial impact
Dialogue: 0,0:10:10.80,0:10:13.12,Default,,0000,0000,0000,,of something going wrong by taking out
Dialogue: 0,0:10:13.12,0:10:15.20,Default,,0000,0000,0000,,an insurance policy.
Dialogue: 0,0:10:15.20,0:10:16.64,Default,,0000,0000,0000,,Another way of doing this is to
Dialogue: 0,0:10:16.64,0:10:18.32,Default,,0000,0000,0000,,outsource the responsibility for
Dialogue: 0,0:10:18.32,0:10:20.16,Default,,0000,0000,0000,,implementing and operating technical
Dialogue: 0,0:10:20.16,0:10:22.56,Default,,0000,0000,0000,,controls to a third party such as an IT
Dialogue: 0,0:10:22.56,0:10:24.56,Default,,0000,0000,0000,,managed service provider.
Dialogue: 0,0:10:24.56,0:10:26.32,Default,,0000,0000,0000,,It is important to note here that
Dialogue: 0,0:10:26.32,0:10:28.40,Default,,0000,0000,0000,,although responsibility for financial
Dialogue: 0,0:10:28.40,0:10:30.56,Default,,0000,0000,0000,,impact or the management of operational
Dialogue: 0,0:10:30.56,0:10:33.28,Default,,0000,0000,0000,,controls can be transferred to a third
Dialogue: 0,0:10:33.28,0:10:36.40,Default,,0000,0000,0000,,party, the accountability associated with
Dialogue: 0,0:10:36.40,0:10:38.16,Default,,0000,0000,0000,,the risk cannot.
Dialogue: 0,0:10:38.16,0:10:39.92,Default,,0000,0000,0000,,In other words you will still be held
Dialogue: 0,0:10:39.92,0:10:42.16,Default,,0000,0000,0000,,accountable by your stakeholders if
Dialogue: 0,0:10:42.16,0:10:44.88,Default,,0000,0000,0000,,something goes wrong.
Dialogue: 0,0:10:44.88,0:10:48.80,Default,,0000,0000,0000,,ISO 27001 Risk Treatment Methodology
Dialogue: 0,0:10:48.80,0:10:51.52,Default,,0000,0000,0000,,Avoid or Terminate
Dialogue: 0,0:10:51.52,0:10:53.44,Default,,0000,0000,0000,,The fourth risk treatment option is to
Dialogue: 0,0:10:53.44,0:10:55.44,Default,,0000,0000,0000,,simply avoid the risk.
Dialogue: 0,0:10:55.44,0:10:57.20,Default,,0000,0000,0000,,As we have discussed before, there are
Dialogue: 0,0:10:57.20,0:11:00.16,Default,,0000,0000,0000,,three component parts to risk. The impact
Dialogue: 0,0:11:00.16,0:11:02.16,Default,,0000,0000,0000,,felt by the organization following a
Dialogue: 0,0:11:02.16,0:11:04.32,Default,,0000,0000,0000,,breach of confidentiality, integrity, or
Dialogue: 0,0:11:04.32,0:11:07.28,Default,,0000,0000,0000,,availability for an information asset.
Dialogue: 0,0:11:07.28,0:11:09.76,Default,,0000,0000,0000,,A threat that could cause this impact
Dialogue: 0,0:11:09.76,0:11:11.68,Default,,0000,0000,0000,,and a vulnerability that would allow it
Dialogue: 0,0:11:11.68,0:11:13.20,Default,,0000,0000,0000,,to do so.
Dialogue: 0,0:11:13.20,0:11:15.92,Default,,0000,0000,0000,,It is possible to avoid risk completely
Dialogue: 0,0:11:15.92,0:11:18.16,Default,,0000,0000,0000,,by eliminating one or more of these
Dialogue: 0,0:11:18.16,0:11:19.52,Default,,0000,0000,0000,,three elements.
Dialogue: 0,0:11:19.52,0:11:21.52,Default,,0000,0000,0000,,However, it is unlikely that we would be
Dialogue: 0,0:11:21.52,0:11:24.24,Default,,0000,0000,0000,,able to completely remove all threats or
Dialogue: 0,0:11:24.24,0:11:26.96,Default,,0000,0000,0000,,all vulnerabilities which leaves us only
Dialogue: 0,0:11:26.96,0:11:29.44,Default,,0000,0000,0000,,with one viable option, which is to
Dialogue: 0,0:11:29.44,0:11:31.52,Default,,0000,0000,0000,,remove the impact.
Dialogue: 0,0:11:31.52,0:11:33.92,Default,,0000,0000,0000,,This is done by removing the asset or
Dialogue: 0,0:11:33.92,0:11:35.68,Default,,0000,0000,0000,,stopping the processes that are
Dialogue: 0,0:11:35.68,0:11:38.56,Default,,0000,0000,0000,,associated with the identified risk.
Dialogue: 0,0:11:38.56,0:11:40.40,Default,,0000,0000,0000,,For example, to avoid the risks
Dialogue: 0,0:11:40.40,0:11:42.48,Default,,0000,0000,0000,,associated with the taking of credit
Dialogue: 0,0:11:42.48,0:11:43.84,Default,,0000,0000,0000,,card payments,
Dialogue: 0,0:11:43.84,0:11:46.24,Default,,0000,0000,0000,,remove that process and only deal in
Dialogue: 0,0:11:46.24,0:11:47.28,Default,,0000,0000,0000,,cash.
Dialogue: 0,0:11:47.28,0:11:49.44,Default,,0000,0000,0000,,There are obvious issues associated with
Dialogue: 0,0:11:49.44,0:11:52.00,Default,,0000,0000,0000,,taking this approach, as it is unlikely
Dialogue: 0,0:11:52.00,0:11:54.08,Default,,0000,0000,0000,,to be looked upon to favorably by your
Dialogue: 0,0:11:54.08,0:11:56.64,Default,,0000,0000,0000,,stakeholders, especially if the process
Dialogue: 0,0:11:56.64,0:11:58.56,Default,,0000,0000,0000,,is revenue generating.
Dialogue: 0,0:11:58.56,0:12:00.56,Default,,0000,0000,0000,,This is the reason why this particular
Dialogue: 0,0:12:00.56,0:12:03.12,Default,,0000,0000,0000,,risk treatment methodology is rarely
Dialogue: 0,0:12:03.12,0:12:05.12,Default,,0000,0000,0000,,used.
Dialogue: 0,0:12:05.12,0:12:08.84,Default,,0000,0000,0000,,ISO 27001 Risk Treatment Methodology
Dialogue: 0,0:12:08.84,0:12:09.94,Default,,0000,0000,0000,,Controls
Dialogue: 0,0:12:09.94,0:12:12.08,Default,,0000,0000,0000,,The most common option chosen
Dialogue: 0,0:12:12.08,0:12:14.88,Default,,0000,0000,0000,,to treat risks, other than maybe 'accept'
Dialogue: 0,0:12:14.88,0:12:17.92,Default,,0000,0000,0000,,in more mature ISMS's, is to reduce the
Dialogue: 0,0:12:17.92,0:12:19.28,Default,,0000,0000,0000,,risk.
Dialogue: 0,0:12:19.28,0:12:21.60,Default,,0000,0000,0000,,This is done by implementing controls or
Dialogue: 0,0:12:21.60,0:12:23.84,Default,,0000,0000,0000,,improving existing ones to address the
Dialogue: 0,0:12:23.84,0:12:25.36,Default,,0000,0000,0000,,risk.
Dialogue: 0,0:12:25.36,0:12:27.36,Default,,0000,0000,0000,,There are three main operational types
Dialogue: 0,0:12:27.36,0:12:29.28,Default,,0000,0000,0000,,of control: Administrative or
Dialogue: 0,0:12:29.28,0:12:31.04,Default,,0000,0000,0000,,people-based controls,
Dialogue: 0,0:12:31.04,0:12:33.36,Default,,0000,0000,0000,,technical or logical controls, and
Dialogue: 0,0:12:33.36,0:12:36.08,Default,,0000,0000,0000,,physical or environmental controls.
Dialogue: 0,0:12:36.08,0:12:37.92,Default,,0000,0000,0000,,Within these three operational types
Dialogue: 0,0:12:37.92,0:12:39.92,Default,,0000,0000,0000,,there are several different tactical
Dialogue: 0,0:12:39.92,0:12:42.64,Default,,0000,0000,0000,,uses of controls, such as those that are
Dialogue: 0,0:12:42.64,0:12:44.32,Default,,0000,0000,0000,,designed to prevent a threat from
Dialogue: 0,0:12:44.32,0:12:45.92,Default,,0000,0000,0000,,materializing,
Dialogue: 0,0:12:45.92,0:12:48.16,Default,,0000,0000,0000,,those that are designed to deter people
Dialogue: 0,0:12:48.16,0:12:50.80,Default,,0000,0000,0000,,from carrying out an undesired action,
Dialogue: 0,0:12:50.80,0:12:52.64,Default,,0000,0000,0000,,those that detect if a threat has
Dialogue: 0,0:12:52.64,0:12:55.28,Default,,0000,0000,0000,,materialized, or those that enable you to
Dialogue: 0,0:12:55.28,0:12:57.20,Default,,0000,0000,0000,,recover from a situation after the
Dialogue: 0,0:12:57.20,0:12:58.96,Default,,0000,0000,0000,,threat has been dealt with,
Dialogue: 0,0:12:58.96,0:13:00.96,Default,,0000,0000,0000,,and there are several others.
Dialogue: 0,0:13:00.96,0:13:03.28,Default,,0000,0000,0000,,Operational types and tactical uses of
Dialogue: 0,0:13:03.28,0:13:06.16,Default,,0000,0000,0000,,controls are not mutually exclusive and
Dialogue: 0,0:13:06.16,0:13:08.56,Default,,0000,0000,0000,,can and should be used where possible in
Dialogue: 0,0:13:08.56,0:13:11.20,Default,,0000,0000,0000,,combination to provide a greater depth
Dialogue: 0,0:13:11.20,0:13:13.12,Default,,0000,0000,0000,,of security.
Dialogue: 0,0:13:13.12,0:13:16.80,Default,,0000,0000,0000,,ISO 27001 Risk Management Monitor And
Dialogue: 0,0:13:16.80,0:13:18.16,Default,,0000,0000,0000,,Review
Dialogue: 0,0:13:18.16,0:13:19.92,Default,,0000,0000,0000,,It is important to ensure that any
Dialogue: 0,0:13:19.92,0:13:21.84,Default,,0000,0000,0000,,actions you take to address the risks
Dialogue: 0,0:13:21.84,0:13:23.76,Default,,0000,0000,0000,,you have identified are monitored and
Dialogue: 0,0:13:23.76,0:13:25.52,Default,,0000,0000,0000,,reviewed to ensure that they have the
Dialogue: 0,0:13:25.52,0:13:27.20,Default,,0000,0000,0000,,desired effect.
Dialogue: 0,0:13:27.20,0:13:29.52,Default,,0000,0000,0000,,Part of the monitor and review process
Dialogue: 0,0:13:29.52,0:13:31.84,Default,,0000,0000,0000,,should also include a review of context
Dialogue: 0,0:13:31.84,0:13:33.28,Default,,0000,0000,0000,,before the risk assessment is
Dialogue: 0,0:13:33.28,0:13:34.72,Default,,0000,0000,0000,,reperformed.
Dialogue: 0,0:13:34.72,0:13:37.80,Default,,0000,0000,0000,,This will allow you to identify and take
Dialogue: 0,0:13:37.80,0:13:38.96,Default,,0000,0000,0000,,into consideration any changes that may
Dialogue: 0,0:13:38.96,0:13:41.28,Default,,0000,0000,0000,,have happened, either internally within
Dialogue: 0,0:13:41.28,0:13:43.68,Default,,0000,0000,0000,,your organization or externally such as
Dialogue: 0,0:13:43.68,0:13:46.24,Default,,0000,0000,0000,,changes in legislation or changes to the
Dialogue: 0,0:13:46.24,0:13:48.88,Default,,0000,0000,0000,,threat environment. Thus, you are able to
Dialogue: 0,0:13:48.88,0:13:51.04,Default,,0000,0000,0000,,identify if risks that have previously
Dialogue: 0,0:13:51.04,0:13:53.44,Default,,0000,0000,0000,,been identified are getting worse or
Dialogue: 0,0:13:53.44,0:13:55.76,Default,,0000,0000,0000,,hopefully better. And you will also be
Dialogue: 0,0:13:55.76,0:13:58.56,Default,,0000,0000,0000,,able to identify any new risks.
Dialogue: 0,0:13:58.56,0:14:02.40,Default,,0000,0000,0000,,ISO 27001 Risk Assessment Frequency
Dialogue: 0,0:14:02.40,0:14:04.16,Default,,0000,0000,0000,,Risk management and therefore risk
Dialogue: 0,0:14:04.16,0:14:06.96,Default,,0000,0000,0000,,assessment is an iterative process
Dialogue: 0,0:14:06.96,0:14:08.72,Default,,0000,0000,0000,,and each iteration should take into
Dialogue: 0,0:14:08.72,0:14:10.80,Default,,0000,0000,0000,,consideration lessons learned from the
Dialogue: 0,0:14:10.80,0:14:13.28,Default,,0000,0000,0000,,previous iteration and should take into
Dialogue: 0,0:14:13.28,0:14:15.68,Default,,0000,0000,0000,,consideration any internal or external
Dialogue: 0,0:14:15.68,0:14:18.08,Default,,0000,0000,0000,,changes thus enabling continual
Dialogue: 0,0:14:18.08,0:14:19.36,Default,,0000,0000,0000,,improvement.
Dialogue: 0,0:14:19.36,0:14:21.28,Default,,0000,0000,0000,,There is no hard and fast rule on the
Dialogue: 0,0:14:21.28,0:14:23.68,Default,,0000,0000,0000,,frequency of risk assessment but URM
Dialogue: 0,0:14:23.68,0:14:25.84,Default,,0000,0000,0000,,recommends that the frequency is no less
Dialogue: 0,0:14:25.84,0:14:27.44,Default,,0000,0000,0000,,than annual.
Dialogue: 0,0:14:27.44,0:14:29.28,Default,,0000,0000,0000,,This does not necessarily mean that you
Dialogue: 0,0:14:29.28,0:14:31.12,Default,,0000,0000,0000,,should set aside a certain amount of
Dialogue: 0,0:14:31.12,0:14:33.12,Default,,0000,0000,0000,,time at a certain point in the year to
Dialogue: 0,0:14:33.12,0:14:35.44,Default,,0000,0000,0000,,conduct a risk assessment, although of
Dialogue: 0,0:14:35.44,0:14:37.92,Default,,0000,0000,0000,,course you can do this if you wish.
Dialogue: 0,0:14:37.92,0:14:40.08,Default,,0000,0000,0000,,It just means that each time 12 months
Dialogue: 0,0:14:40.08,0:14:42.16,Default,,0000,0000,0000,,has elapsed, you should aim to have
Dialogue: 0,0:14:42.16,0:14:44.48,Default,,0000,0000,0000,,completed the next iteration.
Dialogue: 0,0:14:44.48,0:14:46.64,Default,,0000,0000,0000,,So you could spread the workload over
Dialogue: 0,0:14:46.64,0:14:48.72,Default,,0000,0000,0000,,the 12-month period by performing
Dialogue: 0,0:14:48.72,0:14:50.96,Default,,0000,0000,0000,,smaller risk assessments on a subset of
Dialogue: 0,0:14:50.96,0:14:53.92,Default,,0000,0000,0000,,areas at more frequent intervals if this
Dialogue: 0,0:14:53.92,0:14:56.16,Default,,0000,0000,0000,,is more manageable.
Dialogue: 0,0:14:56.16,0:14:59.20,Default,,0000,0000,0000,,ISO 27001 Risk Management
Dialogue: 0,0:14:59.20,0:15:00.96,Default,,0000,0000,0000,,Governance
Dialogue: 0,0:15:00.96,0:15:03.20,Default,,0000,0000,0000,,Throughout the risk management process,
Dialogue: 0,0:15:03.20,0:15:05.12,Default,,0000,0000,0000,,you need to ensure that you communicate
Dialogue: 0,0:15:05.12,0:15:07.84,Default,,0000,0000,0000,,effectively with any interested parties.
Dialogue: 0,0:15:07.84,0:15:10.48,Default,,0000,0000,0000,,It may be useful to put together a RACI.
Dialogue: 0,0:15:10.48,0:15:13.44,Default,,0000,0000,0000,,(RACI) to help you with this. As all the
Dialogue: 0,0:15:13.44,0:15:15.36,Default,,0000,0000,0000,,way through the process different people
Dialogue: 0,0:15:15.36,0:15:17.84,Default,,0000,0000,0000,,will need to be held responsible, some
Dialogue: 0,0:15:17.84,0:15:20.00,Default,,0000,0000,0000,,will need to be held accountable, some
Dialogue: 0,0:15:20.00,0:15:21.84,Default,,0000,0000,0000,,will need to be consulted in order to
Dialogue: 0,0:15:21.84,0:15:23.44,Default,,0000,0000,0000,,identify all of the pertinent
Dialogue: 0,0:15:23.44,0:15:25.52,Default,,0000,0000,0000,,information we need to perform an
Dialogue: 0,0:15:25.52,0:15:27.76,Default,,0000,0000,0000,,effective risk assessment, and some
Dialogue: 0,0:15:27.76,0:15:30.00,Default,,0000,0000,0000,,people, for example, the management team
Dialogue: 0,0:15:30.00,0:15:31.76,Default,,0000,0000,0000,,will need to be informed through
Dialogue: 0,0:15:31.76,0:15:35.68,Default,,0000,0000,0000,,effective reporting of your risk status.
Dialogue: 0,0:15:35.68,0:15:38.96,Default,,0000,0000,0000,,ISO 27001 Risk Management Policy and
Dialogue: 0,0:15:38.96,0:15:40.56,Default,,0000,0000,0000,,Process
Dialogue: 0,0:15:40.56,0:15:42.96,Default,,0000,0000,0000,,as with all key processes associated
Dialogue: 0,0:15:42.96,0:15:45.76,Default,,0000,0000,0000,,with an effective isms it is a good idea
Dialogue: 0,0:15:45.76,0:15:48.40,Default,,0000,0000,0000,,to implement a risk management policy
Dialogue: 0,0:15:48.40,0:15:50.08,Default,,0000,0000,0000,,this enables you to set the risk
Dialogue: 0,0:15:50.08,0:15:52.72,Default,,0000,0000,0000,,management and risk assessment criteria
Dialogue: 0,0:15:52.72,0:15:55.20,Default,,0000,0000,0000,,appetite and roles and responsibilities
Dialogue: 0,0:15:55.20,0:15:57.28,Default,,0000,0000,0000,,out within a document that everyone is
Dialogue: 0,0:15:57.28,0:15:59.04,Default,,0000,0000,0000,,required to implement throughout the
Dialogue: 0,0:15:59.04,0:16:00.64,Default,,0000,0000,0000,,business
Dialogue: 0,0:16:00.64,0:16:02.48,Default,,0000,0000,0000,,this should of course be underpinned by
Dialogue: 0,0:16:02.48,0:16:05.04,Default,,0000,0000,0000,,the risk management methodology and any
Dialogue: 0,0:16:05.04,0:16:07.68,Default,,0000,0000,0000,,required documented processes to enable
Dialogue: 0,0:16:07.68,0:16:09.28,Default,,0000,0000,0000,,risk management to be embedded
Dialogue: 0,0:16:09.28,0:16:12.08,Default,,0000,0000,0000,,throughout the organization
Dialogue: 0,0:16:12.08,0:16:15.04,Default,,0000,0000,0000,,so how can urm help
Dialogue: 0,0:16:15.04,0:16:17.20,Default,,0000,0000,0000,,urm can offer a range of information
Dialogue: 0,0:16:17.20,0:16:19.68,Default,,0000,0000,0000,,risk management consultancy and training
Dialogue: 0,0:16:19.68,0:16:22.64,Default,,0000,0000,0000,,services most notably our accredited
Dialogue: 0,0:16:22.64,0:16:24.72,Default,,0000,0000,0000,,five-day practitioner certificate in
Dialogue: 0,0:16:24.72,0:16:26.56,Default,,0000,0000,0000,,information risk management training
Dialogue: 0,0:16:26.56,0:16:27.52,Default,,0000,0000,0000,,course
Dialogue: 0,0:16:27.52,0:16:30.24,Default,,0000,0000,0000,,in addition urm has also developed an
Dialogue: 0,0:16:30.24,0:16:32.40,Default,,0000,0000,0000,,information risk management module a
Dialogue: 0,0:16:32.40,0:16:36.00,Default,,0000,0000,0000,,brisker 27001 especially to meet the
Dialogue: 0,0:16:36.00,0:16:38.32,Default,,0000,0000,0000,,risk assessment requirements of iso
Dialogue: 0,0:16:38.32,0:16:40.16,Default,,0000,0000,0000,,27001
Dialogue: 0,0:16:40.16,0:16:42.72,Default,,0000,0000,0000,,for more information email us or give us
Dialogue: 0,0:16:42.72,0:16:45.80,Default,,0000,0000,0000,,a call