1.Context Establishment

Question 1

Action

Answer 1

The external and internal context for information security risk management should be established, which involves setting the basic criteria necessary for information security risk management, defining the scope and boundaries and establishing an appropriate organization operating the information security risk management.

Question 2

Implementation guidance

Answer 2

It is essential to determine the purpose of the information security risk management as this affects the overall process and the context establishment in particular. This purpose can be:
— supporting an ISMS;
— legal compliance and evidence of due diligence;

Question 3

Output

Answer 3

The specification of basic criteria, the scope and boundaries, and the organization for the information security risk management process.

Question 4

Risk management approach

Answer 4

Depending on the scope and objectives of the risk management, different approaches can be applied. The approach can also be different for each iteration.
An appropriate risk management approach should be selected or developed that addresses basic criteria such as: risk evaluation criteria, impact criteria, risk acceptance criteria.
Additionally, the organization should assess whether necessary resources are available to:
— perform risk assessment and establish a risk treatment plan;

Question 5

Risk Evaluation Criteria

Answer 5

Risk evaluation criteria should be developed for evaluating the organization’s information security risk management
— the strategic value of the business information process;
— the criticality of the information assets involved;
— operational and business importance of availability, confidentiality and integrity;
— stakeholders’ expectations and perceptions, and negative consequences for goodwill and reputation;
Additionally, risk evaluation criteria can be used to specify priorities for risk treatment.

Question 6

Impact Criteria

Answer 6

Impact criteria should be developed and specified in terms of the degree of damage or costs to the organization caused by an information security event consider the following.
— level of classification of the impacted information asset;
— breaches of information security (e.g. loss of confidentiality, integrity and availability);
— impaired operations (internal or third parties);
— loss of business and financial value;
— disruption of plans and deadlines;
— damage of reputation;

Question 7

Risk Acceptance Criteria

Answer 7

Risk acceptance criteria should be developed and specified. Risk acceptance criteria often depend on the organization’s policies, goals, objectives and the interests of stakeholders.

An organization should define its own scales for levels of risk acceptance. The following should be considered during development:

— risk acceptance criteria can include multiple thresholds, with a desired target level of risk, but provision for senior managers to accept risks above this level under defined circumstances;

— risk acceptance criteria can be expressed as the ratio of estimated profit (or other business benefit) to the estimated risk;

— different risk acceptance criteria can apply to different classes of risk;

— risk acceptance criteria can include requirements for future additional treatment, e.g. a risk can be accepted if there is approval and commitment to take action to reduce it to an acceptable level within a defined time period.

Risk acceptance criteria can differ according to how long the risk is expected to exist, e.g. the risk can be associated with a temporary or short-term activity. Risk acceptance criteria should be set up considering the following:
— business criteria;
— operations;
— technology;
— finance;
— social and humanitarian factors.

Question 8

Scope and Boundaries

Answer 8

The scope of the information security risk management process needs to be defined to ensure that all relevant assets are taken into account in the risk assessment. In addition, the boundaries need to be identified to address those risks that can arise through these boundaries.
and its relevance to the information security risk management process.
When defining the scope and boundaries, the organization should consider the following information:
— the organization’s strategic business objectives, strategies and policies;
— business processes;
— the organization’s functions and structure;
— the organization’s information security policy;
— the organization’s overall approach to risk management;
— information assets;
Examples of the risk management scope may be an IT application, IT infrastructure, a business process, or a defined part of an organization.

Question 9

Scope and Boundaries

Answer 9

The scope of the information security risk management process needs to be defined to ensure that all relevant assets are taken into account in the risk assessment. In addition, the boundaries need to be identified to address those risks that can arise through these boundaries.
and its relevance to the information security risk management process.
When defining the scope and boundaries, the organization should consider the following information:
— the organization’s strategic business objectives, strategies and policies;
— business processes;
— the organization’s functions and structure;
— the organization’s information security policy;
— the organization’s overall approach to risk management;
— information assets;
Examples of the risk management scope may be an IT application, IT infrastructure, a business process, or a defined part of an organization.