Although risk assessment and treatment is a complex job, we will summarize it in these 6 basic steps:
- ISO 27001 risk assessment methodology: You need to define rules for how you are going to perform the risk assessment to ensure that the whole organization does it the same way.
- Risk assessment implementation: Once you know the rules, you can start identifying the potential problems that could arise, and determining which ones are unacceptable and must be treated – you need to identify, analyze, and evaluate the risks.
- Risk treatment implementation: This is where you need to get creative and figure out how to decrease the risks with minimal investment. It is possible to achieve the same result with less money – and this paper will show you ways to do just that.
- ISMS Risk Assessment Report: Unlike the previous steps, this one is quite boring – you need to document everything you’ve done so far. You aren’t only doing this for the auditors; you may want to check out these results for yourself in a year or two.
- Statement of Applicability: This document summarizes the results of the risk treatment. It is very important because the certification auditor will use it as the main guideline for the audit.
- Risk Treatment Plan: This is the step where you must move from theory to practice, going from a purely theoretical job to showing some concrete results. You’ll need to define exactly who is going to implement each control, in what timeframe, within what budget, etc.
More to follow ……