by The Open University
Available in 39 free installments
Owner:
The risk assessment task is also carried out at unit level, in light of policies set out in Stages 1 to 3 and for the assets identified in Stage 4.1.
Stages 4.2, 4.3 and 4.4: identify the risks
Stage 4.2 determines systematically the possible threats to the assets identified in the asset identification part of the process. (Clause 4.2.1(d)(2))
Stage 4.3 identifies vulnerabilities that might allow those threats to become successful attacks on the assets. (Clause 4.2.1(d)(3))
Stage 4.4 uses the evaluation mechanisms established in Stage 3 to assess the impact of breaches of the assets' security requirements. (Clause 4.2.1(d)(4))
Stage 5: assess the risks The risks to information assets are assessed using the risk assessment strategy determined in Stage 3. Each breach of security is assigned a level of risk determined by its likelihood and by its impact on the organisation. (Clause 4.2.1(e))
Stage 6: identify and evaluate options for the treatment of risks The risks have their treatment chosen. The choices are to: accept the risk; avoid the risk; transfer the risk; control the risk. A risk is accepted only if it meets the criteria for risk acceptance defined at Stage 3. If the choice is to avoid a risk or transfer a risk (to another organisation, such as an insurer or subcontractor), a suitable means of avoidance or transfer is identified. Otherwise the choice is to control (i.e. lower) the risk to the asset (by taking measures to reduce the asset's vulnerabilities), in which case the risk is assigned a priority level for treatment. (Clause 4.2.1(f))
Documents generated in the risk assessment task must present evidence that every risk has been assessed, along with a justification for the outcome ? acceptance, avoidance, transfer or control ? of each individual assessment.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
