|
|
|
 |
||||||||||||||||||||||||||||||||||||||||||||||
ISO/IEC 17799 and ISO/IEC27001 are predicated on risk assessment. You cannot escape this - it is one of the working documents required for certification. Moreover, the SOA is "based on the results and conclusions of the risk assessment and risk treatment process" and, thus, the risk assessment must be relevant to the SOA. It must also be relevant to your business, else the ISO/IEC 17799 controls that you adopt will not! Not sure how to start... Your response - ask Gamma to help you perform your risk assessment We will help you to perform your risk assessment and teach you how to do it at the same time, so that you can make the risk management decisions and maintain the risk assessment in the future. We will also ensure that we identify the significant business risks, particularly those concerned with the business applications and not just the usual risks concerned with IT platforms and networks. This is especially important from a corporate governance perspective. There are a variety of risk assessment tools that you can use (e.g. we have used CRAMM, Expert, RA and Riskwatch) but far far the best approach is the Brewer-List "Tell it like a story" method. In this approach we start by identifying appropriate events. For each event (and we prefer to work with sets of events) we then:
Our results are presented in a Brewer-List Risk Treatment Plan. Note that this method does not only apply to information security. Use to it to determine all forms of risk: quality, business continuity, health and safety, financial, etc. Your next move Take a look at a page from our Template IMS to see an example (the Template IMS will open up in a new window. Please then navigate to the Risk Treatment Plan pages and select ES3) and then ... ... simply contact David Brewer. Why not do it now! |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||
16 March, 2008 |
|
