Project risk assessment

I would appreciate if you can share your experience or assist me in developing the checklist which covers all aspect as far as security is concerned.

Answer: Before prepare the checklist, the first thing you have to do is define your risk assessment methodology, so you can have all the rules and orientations defined about, for example, how to assess a risk, what are the risk assessment criteria and what is an unacceptable risk.

Since you bought our ISO 27001 toolkit, in the document "Risk Assessment Table" you will find sheets called "Categories", "Vulnerabilities" and "Threats", which lists possible assets, vulnerabilities and threats you can use as base for built a chec klist.

Additionally, in the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. This information also will give you insights to built your checklists.

Thanks for your response. To make it more clear, can you elaborate it by taking an example of SKYPE for business project. What will be our approach to make a checklist for accessing the risk of the whole project. Appreciate your response.

Regarding methodology we will go for qualitative.

Ok, you have defined qualitative assessment as you methodology, but what about your risk assessment criteria? What is important for you? What would be an unacceptable risk?

Considering your Skype example, confidentiality for sure would be a concern, and for this criteria, considering the categories, threats and vulnerabilities in the Risk Assessment Table, possible risk to be considered could be:

- Low user management capability (Skype users may add or talk about project information with people outside the project)
- Privacy concerns regarding the license for using Skype
- Information typed on Skype is not under control of the organization
- The protocols used by Skype do not allow organizations monitoring tools to verify data traffic, and this can be used both to send information out or to let attacks in through skype channel
- Conversations can be recorded without one part being aware of

These are some risk examples a skilled information security practitioner can rise. By considering the view of the people involved in the qualitative assessment they now would evalua te these risks considering probability and impact (the most common criteria uses to define risk value), and compare the results with the value for an unacceptable risk, which you have to define at the beginning, along with the methodology.

Since you bought our ISO 27001 Documentation Toolkit, I suggest you to fill the Risk Assessment and Risk Treatment methodology template first, so you can have in mind all the elements you need to properly assess the risks for your projects.

Quite clear now. Appreciate your response. Thanks.