Expert Advice Community


Risk assessment

Guest user Created:   Mar 09, 2017 Last commented:   Mar 09, 2017

Risk assessment

1 - Regarding Risk Assessment According to ISO 27001 and ISO 27005, I need your proper guidance and applicable methods on how to will carry out a risk assessment on a very high critical infrastructure, say nuclear research institute?
0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Mar 09, 2017

Answer: Regardless of the target of the assessment, proper risk assessment methods have these things in common:

- they define the elements that will be under risk and need assessment (in the case of ISO 27001, these elements are information confidentiality, integrity and/or availability)
- they define how to identify risk owners (those who are responsible for risk treatment)
- they define clear criteria for risk assessment (normally by assessing the consequences and likelihood of the risk)
- they define how the risk is calculated
- they define criteria for accepting risks

So, any method you choose that have these five characteristics will fit your needs. For information about risk assessment methodologies, please see this article: How to write ISO 27001 risk assessment methodology
The most common method is the qualitative assessment, and for that you can see an example in this article:
How to assess consequences and likelihood in ISO 27001 risk analysis

Another method that you can consider is the quantitative assessment, and for that you can see more information in this article: Qualitative vs. quantitative risk assessments in information security: Differences and similarities

2 - What are the attributes of selection of risk assessment tools and what are the best risk assessment techniques needed in such critical infrastructure especially in mitigating against an insider threat because insider threat is one of the biggest problems faced with nuclear industry today?

Answer: For attributes to select a risk assessment tool you can consider orientations of ISO 31010, the ISO standard about risk assessment techniques. This standard defines 4 requirements to evaluate a tool:
- Resources required to perform the assessment in terms of time to perform, expert knowledge, data gathering and cost
- Complexity of the problem or situation to be assessed, as well as the specific methods required to be used
- The level of uncertainty that can be accepted
- If the method can offer a quantitative result

In this article you can also find additional information about selecting tools: When to use tools for ISO 27001/ISO 22301 and when to avoid them

For other tools, I suggest you to take a look at ISO 31010 (Risk management — Risk assessment techniques) at this link:

In the second part of this question, I assume you want recommendations about risk treatment techniques. Generally speaking you can consider physical and logical segregation controls, user management practices, and physical and logical monitoring to deter, prevent and detect attempts from insiders. See this article for more information: How to handle access control according to ISO 27001

3 - Where can I get your presentation on statement of applicability and risk treatment?

Answer: You can see a free demo of this documents at these links:
- Statement of Applicability
- Risk Treatment Plan

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English
- Free online training ISO 27001 Foundations Course
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 09, 2017

Mar 09, 2017