020 8099 1796
+353 1 6854660
JAN 17, 2014
ISO 27001 risk expressed as threats and vulnerabilities
When it comes to Risk Management, senior management will have to decide on the criteria for accepting information security risks, and will have to sign them off in a board meeting. Before the board meeting, you should prepare an initial Risk Management Framework and a procedure defining how the Risk Assessment will be conducted. When preparing this, if you want to go for certification, make sure to include two things that the ISO standard specifically requires. The Risk Assessment methodology and the Risk Acceptance Criteria. Risk arises from a combination of a threat - for example the thread of flooding - and a vulnerability, for example a floodplain. The risk exists because the threat exploits a vulnerability. Two other factors related to risk are likelihood and impact. How likely is it that the threat will exploit the vulnerability, and what will be the damage or impact if it does. So for example, how likely is it that there will be a flood, and what is the impact if there is a flood. If your business' building is in a flood plain, the likelihood of a flood may be high. But should that building only be a warehouse, the impact of that flood on Information Security may be low. One of the methodologies you could choose to assess the overall risk level, is to multiply impact with likelihood. The product being the risk level. This is just one of the possible risk methodologies for obtaining an overall risk level. You could use your own methodology that may better suit your business.