Risk = 'effect of uncertainty on objectives' (ISO 31000)
Risk Assessment is both an art and science. It is an ability to extract a loophole from an existing framework.
For each of the international standard that includes setting up a management system framework, risk assessment plays a key role. In Coral we have creates successful risk assessment and risk management frameworks. These frameworks are a result of our experiences in the standards we help implement.
Scope of Assessment
This phase determines the business areas, department, services for which you wish to perform the risk assessment. It can be even focus on few assets, such as key personnel, location, applications, physical infrastructure or even external service providers (not exhaustive). It can be on ‘static’ situations, and or ‘dynamic’ situations of business lifecycles. Scope of assessment can be based on assets, and/or threats.
Initial Risk Assessment
In this phase you analyse the threats, business impacts, vulnerabilities, probabilities, and assess the risk value. In doing so, you will identify existing controls and new vulnerabilities. The vulnerabilities are then listed for management approval and implementation.
In this phase, you allocate the responsibility of implementing these controls, and watch for their successful implementation. You track whether the vulnerabilities have reached their desired closure objectives.
Revised Risk Assessment
Upon successful closures, when you have evidences of closures, only then you can revisit and reevaluate their initial risk values.
Risk Assessment is a key requirement for demonstrating successful compliance in several legal as well as management standards. This includes ISO 27001, Cyber Security, ISO 20000, GDPR, ISO 22301, PCI-DSS, HIPAA, SOC 1, SOC 2, HITRUST, COBIT to name a few.