Risk assessment

Answer: Regardless of the target of the assessment, proper risk assessment methods have these things in common:

- they define the elements that will be under risk and need assessment (in the case of ISO 27001, these elements are information confidentiality, integrity and/or availability)
- they define how to identify risk owners (those who are responsible for risk treatment)
- they define clear criteria for risk assessment (normally by assessing the consequences and likelihood of the risk)
- they define how the risk is calculated
- they define criteria for accepting risks

So, any method you choose that have these five characteristics will fit your needs. For information about risk assessment methodologies, please see this article: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

The most common method is the qualitative assessment, and for that you can see an example in this article:
How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Another method that you can consider is the quantitative assessment, and for that you can see more information in this article: Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

2 - What are the attributes of selection of risk assessment tools and what are the best risk assessment techniques needed in such critical infrastructure especially in mitigating against an insider threat because insider threat is one of the biggest problems faced with nuclear industry today?

Answer: For attributes to select a risk assessment tool you can consider orientations of ISO 31010, the ISO standard about risk assessment techniques. This standard defines 4 requirements to evaluate a tool:
- Resources required to perform the assessment in terms of time to perform, expert knowledge, data gathering and cost
- Complexity of the problem or situation to be assessed, as well as the specific methods required to be used
- The level of uncertainty that can be accepted
- If the method can offer a quantitative result

In this article you can also find additional information about selecting tools: When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/

For other tools, I suggest you to take a look at ISO 31010 (Risk management — Risk assessment techniques) at this link: https://www.iso.org/obp/ui/#iso:std:iec:31010:ed-1:v1:en

In the second part of this question, I assume you want recommendations about risk treatment techniques. Generally speaking you can consider physical and logical segregation controls, user management practices, and physical and logical monitoring to deter, prevent and detect attempts from insiders. See this article for more information: How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

3 - Where can I get your presentation on statement of applicability and risk treatment?

Answer: You can see a free demo of this documents at these links:
- Statement of Applicability https://advisera.com/27001academy/documentation/statement-of-applicability/
- Risk Treatment Plan https://advisera.com/27001academy/documentation/risk-treatment-plan/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/