Risk analysis process
At the moment, I have a query. In my experience, risk analysis is a process that takes a long time to implement in companies (in some cases 3 years to make the first turn). And how do we know it starts and never ends. In this regard, what is the level of initial risk analysis that they recommend? taking into account that generally when an organization decides to implement the security policy as soon as possible.
Assign topic to the user
ISO 27001 does not prescribe how long an organization should take to implement the risk management process, so this time is defined by each organization to fit their needs, but from our experience 3 years is far too much for the risk assessment to be performed. For small companies of up to 50 employees it should be finished within a week or two, and for a company of ca 200 employees this generally takes a couple of weeks, and for a company of 500 employees, this is ca 4 weeks' time.
This is generally achieved by implementing a risk management process with a simple approach. In case you need something more complex, you should consider this more complex implementation later in the process, so people can become used to the concept of risk management, and you can have identified risks faster.
For example, you can start risk analysis with a qualitative approach (most based in perceptions, easier to understand, quicker to perform, but less accurate), and after that go for your more complex approach.
These articles will provide you a further explanation about risk identification:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Comment as guest or Sign in
Apr 29, 2020