1 - Regarding Risk Assessment According to ISO 27001 and ISO 27005, I need your proper guidance and applicable methods on how to will carry out a risk assessment on a very high critical infrastructure, say nuclear research institute?
Answer: Regardless of the target of the assessment, proper risk assessment methods have these things in common:
- they define the elements that will be under risk and need assessment (in the case of ISO 27001, these elements are information confidentiality, integrity and/or availability)
- they define how to identify risk owners (those who are responsible for risk treatment)
- they define clear criteria for risk assessment (normally by assessing the consequences and likelihood of the risk)
- they define how the risk is calculated
- they define criteria for accepting risks
2 - What are the attributes of selection of risk assessment tools and what are the best risk assessment techniques needed in such critical infrastructure especially in mitigating against an insider threat because insider threat is one of the biggest problems faced with nuclear industry today?
Answer: For attributes to select a risk assessment tool you can consider orientations of ISO 31010, the ISO standard about risk assessment techniques. This standard defines 4 requirements to evaluate a tool:
- Resources required to perform the assessment in terms of time to perform, expert knowledge, data gathering and cost
- Complexity of the problem or situation to be assessed, as well as the specific methods required to be used
- The level of uncertainty that can be accepted
- If the method can offer a quantitative result