Risk Assessment is a key requirement for demonstrating successful compliance in several legal as well as management standards. In some standards it is an explicit requirement, and in others it is explicit. This includes ISO 27001, BS 25999, ISO 20000, COBIT, COSO, PCI-DSS, GLBA, HIPAA, SAS 70 SSAE 16 to name a few. Here is a simple explanation of each individual task in 4 phases.
Scope of Assessment
This phase determines the business areas, department, services for which you wish to perform the risk assessment. It can be even focus on few assets, such as key personnel, location, applications, physical infrastructure or even external service providers (not exhaustive). It can be on ‘static’ situations, and or ‘dynamic’ situations of business lifecycles. Scope of assessment can be based on assets, and/or threats.
Initial Risk Assessment
In this phase you analyse the threats, business impacts, vulnerabilities, probabilities, and assess the risk value. In doing so, you will identify existing controls and new vulnerabilities. The vulnerabilities are then listed for management approval and implementation.
In this phase, you allocate the responsibility of implementing these controls, and watch for their successful implementation. You track whether the vulnerabilities have reached their desired closure objectives.
Revised Risk Assessment
Upon successful closures, when you have evidences of closures, only then you can revisit and reevaluate their initial risk values.
Risk Assessment is a key requirement for demonstrating successful compliance in several legal as well as management standards. This includes ISO 27001, BS 25999, PCI-DSS, GLBA, HIPAA, SAS 70 to name a few.