BS ISO IEC 27005 pdf download Information technology — Security techniques — Information security risk management
The effectiveness of the risk treatment depends on the results of the risk assessment. Note that risk treatment involves a cyclical process of: • assessing a risk treatment;
• deciding whether residual risk levels are acceptable;
• generating a new risk treatment if risk levels are not acceptable; and
• assessing the effectiveness of that treatment It is possible that the risk treatment will not immediately lead to an acceptable level of residual risk. In this situation, another iteration of the risk assessment with changed context parameters (e.g. risk assessment, risk acceptance or impact criteria), if necessary, may be required, followed by further risk treatment (see Figure 2, Risk Decision Point 2).
The risk acceptance activity has to ensure residual risks are explicitly accepted by the managers of the organization. This is especially important in a situation where the implementation of controls is omitted or postponed, e.g. due to cost. During the whole information security risk management process it is important that risks and their treatment are communicated to the appropriate managers and operational staff. Even before the treatment of the risks, information about identified risks can be very valuable to manage incidents and may help to reduce potential damage. Awareness by managers and staff of the risks, the nature of the controls in place to mitigate the risks and the areas of concern to the organization assist in dealing with incidents and unexpected events in the most effective manner. The detailed results of every activity of the information security risk management process and from the two risk decision points should be documented. ISO/IEC 27001 specifies that the controls implemented within the scope, boundaries and context of the ISMS need to be risk based.
The application of an information security risk management process can satisfy this requirement. There are many approaches by which the process can be successfully implemented in an organization. The organization should use whatever approach best suits their circumstances for each specific application of the process.
In an ISMS, establishing the context, risk assessment, developing risk treatment plan and risk acceptance are all part of the ―plan‖ phase. In the ―do‖ phase of the ISMS, the actions and controls required to reduce the risk to an acceptable level are implemented according to the risk treatment plan. In the ―check‖ phase of the ISMS, managers will determine the need for revisions of the risk assessment and risk treatment in the light of incidents and changes in circumstances. In the ‖act‖ phase, any actions required, including additional application of the information security risk management process, are performed. The following table summarizes the information security risk management activities relevant to the four phases of the ISMS process:
7 Context establishment 7.1 General considerations Input: All information about the organization relevant to the information security risk management context establishment. Action: The external and internal context for information security risk management should be established, which involves setting the basic criteria necessary for information security risk management (7.2), defining the scope and boundaries (7.3), and establishing an appropriate organization operating the information security risk management (7.4).