Performing Security Risk Analysis
I just have a question on performing Security Risk Analysis. Is doing a security audit and VAPT is another way of security risk analysis?
Assign topic to the user
I'm assuming that by VAPT you mean "Vulnerability Assessment & Penetration Test".
Considering that, first is important to note that the purpose of risk analysis is to evaluate the risk, quantitatively or qualitatively, and that security audit is used to find out if security is being performed as planned, or results achieved are those expected, and that VAPT is used to find out if there are vulnerabilities in your environment that could be exploited.
All of this considered, security audit and VAPT cannot be used for risk analysis, but they can be used for risk identification because their results can point situations where information can be compromised (i.e., risks).
These articles will provide you a further explanation about the risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Jun 02, 2020