Information Security Risk Management

Global Security Network provides Information Security Risk Management services based on best practices and international standards like ISO/IEC 27001:2005 and ISO/IEC 27005:2008

What is Risk Management?

Risk Management consists of the overall processes of identifying risk, assessing risk, and taking steps to reduce risks to an acceptable level for the organization. Risk Management allows managers to balance the operational & economic costs of protective measures and achieve gains in the organization's mission capability.

Risk Management is a continuous cycle that covers the processes of identification of assets, threats & vulnerabilities, risk assessment, risk treatment, risk communication, risk treatment monitoring and risk review.

What is ISO/IEC 27005:2008?

ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001:2005 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

Risk Management Activities

• Definition of scope for risk management
• Review/definition of information security policy
• Definition of risk acceptance criteria
• Determination of acceptable level of risk for the organization
• Identification of assets within scope of security policy
• Determination of asset ownership and valuation
• Sensitivity classification of information assets
• Identification of internal and external threats to the assets
• Identification of vulnerabilities pertaining to assets
• Technical vulnerability assessment & penetration testing on IT based assets
• Asset and Business impact analysis due to potential risk
• Estimation of risk likelihood/probability
• Estimation of significance of risk
• Selection of Risk treatment options
• Selection of controls
• Establishment of risk communication mechanisms
• Monitoring of risk treatment measures
• Monitoring of residual risk and security incidents
• Review of factors affecting impact and likelihood of risk

 

Tel: +971 2 667 4782 | Email: infosec@gsn.ae | Connect with us on

© 2012 Global Security Network | All rights reserved.