Scribd Logo
Upload

Welcome to Scribd!

  • 172 views

    ISMS Control of Risks and Opportunities

    Uploaded by

    Amine Rached
    This document outlines an organization's procedure for identifying, assessing, and treating information security risks. It describes conducting risk assessments at least annually or when changes occur to identify risks, vulnerabilities, impacts, and risk owners. Risks are analyzed by assessing probability and severity of impacts. A risk index is calculated based on these factors and used to prioritize risks for treatment. Risks with an index over 8 or legal requirements are treated by developing plans to eliminate or lower risks to an acceptable level. Records of the risk assessment and treatment process are maintained.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    ISMS Control of Risks and Opportunities

    Uploaded by

    Amine Rached
    172 views6 pages
    This document outlines an organization's procedure for identifying, assessing, and treating information security risks. It describes conducting risk assessments at least annually or when changes occur to identify risks, vulnerabilities, impacts, and risk owners. Risks are analyzed by assessing probability and severity of impacts. A risk index is calculated based on these factors and used to prioritize risks for treatment. Risks with an index over 8 or legal requirements are treated by developing plans to eliminate or lower risks to an acceptable level. Records of the risk assessment and treatment process are maintained.

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document outlines an organization's procedure for identifying, assessing, and treating information security risks. It describes conducting risk assessments at least annually or when changes occur to identify risks, vulnerabilities, impacts, and risk owners. Risks are analyzed by assessing probability and severity of impacts. A risk index is calculated based on these factors and used to prioritize risks for treatment. Risks with an index over 8 or legal requirements are treated by developing plans to eliminate or lower risks to an acceptable level. Records of the risk assessment and treatment process are maintained.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    172 views6 pages

    ISMS Control of Risks and Opportunities

    Uploaded by

    Amine Rached
    This document outlines an organization's procedure for identifying, assessing, and treating information security risks. It describes conducting risk assessments at least annually or when changes occur to identify risks, vulnerabilities, impacts, and risk owners. Risks are analyzed by assessing probability and severity of impacts. A risk index is calculated based on these factors and used to prioritize risks for treatment. Risks with an index over 8 or legal requirements are treated by developing plans to eliminate or lower risks to an acceptable level. Records of the risk assessment and treatment process are maintained.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 6

    <Short Name> Information Security Procedure

    Control of Risks and Opportunities

    1 Introduction
    2 Scope
    This procedure sets out <Short Name>’s arrangements for identifying, assessing and
    treating information security risks.

    3 Revision History
    Revision Date Record of Changes Approved By
    0.0 [Date of Issue] Initial Issue

    4 Control of hardcopy versions


    The digital version of this document is the most recent version. It is the responsibility of the
    individual to ensure that any printed version is the most recent version. The printed version
    of this manual is uncontrolled, and cannot be relied upon, except when formally issued by
    the <Document Controller> and provided with a document reference number and revision in
    the fields below:
    Document Ref. Rev. Uncontrolled Copy X Controlled Copy

    5 References
    Standard Title Description
    ISO 27000:2014 Information security management systems Overview and vocabulary
    ISO 27001:2013 Information security management systems Requirements
    ISO 27002:2013 Information technology - security Code of practice for information security
    techniques controls

    6 Terms and Definitions


     “staff” and “users” means all of those who work under our control, including
    employees, contractors, interns etc.

     “we” and “our” refer to <Short Name>

    7 Responsibilities
    The <ISMS Manager> is responsible for all aspects of the implementation and management
    of this procedure, unless noted otherwise.
    Managers and supervisors are responsible for the implementation of this policy, within the
    scope of their responsibilities, and must ensure that all staff under their control understand
    and undertake their responsibilities accordingly.

    Control of Risks and Opportunities Page 1 of 6


    <Short Name> Information Security Procedure

    8 Information security risk assessment


    9 General
    An information security risk review of our entire organisation is undertaken, taking account of
    the established criteria, at periods not exceeding 12 months, or when significant changes are
    proposed or occur.
    The review is undertaken under the direction of the <ISMS Manager>, and draws on both
    internal, and where required, external, expertise.
    Our information security risk assessment process seeks to:

     establish and maintain information security risk criteria that include:


    - the risk acceptance criteria

    - criteria for performing information security risk assessments

     ensure that repeated information security risk assessments produce consistent, valid
    and comparable results

     identify the information security risks which may lead to a potential loss of
    confidentiality, integrity or availability of information

     identify the risk owners

     analyse the information security risks to :


    - assess the potential consequences that would result if the identified risks were to
    materialise
    - assess the realistic likelihood of the occurrence of the identified risks

    - determine the levels of risk

     evaluate the information security risks to:


    - compare the results of risk analysis with the established risk criteria

    - prioritise the analysed risks for risk treatment

    The <ISMS Manager> maintains records of the information security risk assessment process
    and its outcomes.

    10 Risk Identification
    To identify potential information security risks we:

     identify the information assets and the owners of these assets

     identify the risks that might lead to a loss of confidentiality, integrity or availability of
    information

     identify the risk owners

     identify the vulnerabilities that might lead to the risks being realised

    Control of Risks and Opportunities Page 2 of 6


    <Short Name> Information Security Procedure

     identify the assets that are impacted by the risk by way of loss of confidentiality,
    integrity or availability
    The <ISMS Manager> ensures that the findings of the identification process are recorded on
    the ISMS Risk Register.

    11 Risk criteria definition


    The following factors are considered when defining risk criteria:

     the nature and types of the causes and consequences that can occur and how they
    will be measured

     how likelihood will be defined

     the timeframe(s) of the likelihood and/or consequence(s)

     how the level of risk is to be determined

     the views of stakeholders

     the level at which risk becomes acceptable or tolerable

     whether combinations of risks should be taken into account and, if so, how and which
    combinations should be considered
    These factors are bought together in the comparison of a Risk Index score with a risk
    treatment threshold, see 3.3 below.

    12 Risk Assessment
    13 General
    We have adopted a straightforward risk assessment methodology that we consider to be
    well suited to both this information security management system and the identified business
    and regulatory information security requirements.
    We have developed our criteria for accepting risks and identifying the acceptable levels of
    risk and expect our adopted methodology will comparable and reproducible results.

    14 Analysis and evaluation of the risks


    To analyse and evaluate the risks we:

     assess the severity of the impacts that might result from security failures, taking into
    account the consequences of loss of confidentiality, integrity or availability of the
    assets

     assess the realistic probability of security failures occurring in the light of prevailing
    threats and vulnerabilities, the impacts associated with these assets, and the controls
    currently implemented

     assess the controllability of the impact

     take into account the overriding nature of regulatory issues

     estimate the levels of risk expressed as a numerical Risk Index

    Control of Risks and Opportunities Page 3 of 6


    <Short Name> Information Security Procedure

     using our criteria for accepting risks, determine whether the risks are acceptable or
    require treatment

     prioritise the analysed risks for risk treatment


    We calculate the Risk Index as below:
    Risk Index (RI) = Severity Score x Probability Score x Controllability Score
    Scoring Guidelines
    Score Severity Probability Controllability
    1 Minor Very unlikely Essentially avoidable through mitigation actions
    2 Moderate Somewhat likely Highly controllable through actions
    3 Significant 50/50 Chance Moderately controllable through actions
    4 Very Highly likely Largely uncontrollable
    significant
    5 Disastrous Almost certain Uncontrollable

    15 Our criteria for accepting risks


    An identified risk is considered to be to be acceptable / tolerable where the Risk Index is less
    than 9 and there is no legal requirement.
    Where the Risk Index is greater than 8, or there is a legal requirement, the identified risk is
    to be reduced through risk treatment.
    The <ISMS Manager> may re-categorise an identified risk, from no treatment to treatment,
    based on additional significant criteria, such as reputational damage or overriding
    stakeholder concern.
    The <ISMS Manager> ensures that the records of evaluation are recorded on the ISMS Risk
    Assessment Worksheet and prioritises the analysed risks on the basis of Risk Index for risk
    treatment.
    The trigger level of 9 is clearly a matter of judgement. You may have good reason to adjust
    the above trigger level, but whatever trigger you use should be consistently applied across
    all information security aspects. You may also wish to add further ‘triggers’ for risk treatment,
    such as any one of the four factors being >=5 leading to risk treatment.
    However much ‘science’ the final classification will always require sound judgement, so
    employ a broad and knowledgeable team to decide on impact classifications and the need
    for risk treatment.

    16 Risk Treatment
    17 General
    Based on the steps involved in risk treatment as set out below, the <ISMS Manager>
    consults with the risk owner and the owner of the information assets, as well as with those
    with expert knowledge if necessary, to agree appropriate methods to eliminate or lower the
    risk to an acceptable level.
    Based on the outcome of this consultation, the <ISMS Manager> ensures that an ISMS Risk
    Treatment Plan is prepared, that the ISMS Risk Register, ISMS Risk Worksheet are
    maintained and that the ISMS Risk Treatment Plan is executed according to its priority.

    Control of Risks and Opportunities Page 4 of 6


    <Short Name> Information Security Procedure

    18 Steps involved in risk treatment


    18.1.1 Select appropriate risk treatment options
    We select appropriate information security risk treatment options, taking account of the risk
    assessment results, including any of the following:

     applying appropriate controls

     knowingly and objectively accepting risks, if they clearly satisfy our policies and the
    criteria for accepting risks

     avoiding risks

     transferring the associated business risks to other parties, e.g. insurers, suppliers

    18.1.2 Determine the necessary controls


    We determine all of the controls and control objectives that are necessary to implement the
    chosen risk treatment.
    We may design the controls as required, or identify them from any source.

    18.1.3 Compare the controls with those in Annex A of ISO/IEC27001:2013


    Using our Information Security Control Checklist, we compare the controls selected with
    those in Annex A of ISO 27001:2013 to verify that no necessary controls have been omitted.
    We recognise that the control objectives and controls listed in this checklist are not
    exhaustive and that additional control objectives and controls may also be required.

    19 Statement of Applicability
    The <ISMS Manager> ensures that an ISMS Statement of Applicability is prepared and
    maintained for the entire scope of our information security management system. The ISMS
    Statement of Applicability provides a summary of decisions concerning risk treatment,
    justifies exclusions and provides a cross-check that no controls have been inadvertently
    omitted.
    The Statement of Applicability includes:

     the control objectives and controls selected, and the reasons for their selection

     the control objectives and controls currently implemented,

     the exclusion of any control objectives and controls in Annex A of ISO27001:2013


    and the justification for their exclusion

     any specific control objectives and controls which we have adopted and which are
    not covered by Annex A of ISO27001:2013, the reason(s) for their adoption, and the
    status of implementation

    20 Risk Treatment Plan


    Based on the above, the <ISMS Manager> ensures that an ISMS Risk Treatment Plan is
    prepared and maintained. The risk treatment plan identifies the appropriate management
    action, resources, responsibilities and priorities for managing information security risks.

    Control of Risks and Opportunities Page 5 of 6


    <Short Name> Information Security Procedure
    Where there is residual risk after risk treatment, those residual risks are also identified and
    recorded in the ISMS Risk Treatment Plan.

    21 Approval
    The <ISMS Manager> is required to obtain formal approval from the risk owners and
    <Senior Management Team> for the ISMS Risk Treatment Plan, including the proposed
    residual risks.

    22 Implementation
    The <ISMS Manager> ensures the implementation of the ISMS Risk Treatment Plan and
    reports on its status at information security management meetings.

    23 Records
    Records retained in support of this procedure are listed in the Controlled ISMS Records
    Register and controlled according to the Control of Management System Records
    Procedure.

    Control of Risks and Opportunities Page 6 of 6

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy