2.Information Security Risk Assessment

Question 1

Input

Answer 1

Basic criteria, the scope and boundaries, and the organization for the information security risk management process being established.

Question 2

Action

Answer 2

Risks should be identified, quantified or qualitatively described, and prioritized against risk evaluation criteria and objectives relevant to the organization.

Question 3

Implementation guidance

Answer 3

A risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria.

Risk assessment consists of the following activities:
— risk identification.
— risk analysis.
— risk evaluation.

Risk assessment determines the value of the information assets, identifies the applicable threats and vulnerabilities that exist (or can exist), identifies the existing controls and their effect on the risk identified, determines the potential consequences and, finally, prioritizes the derived risks and ranks them against the risk evaluation criteria set in the context establishment.

Question 4

Output

Answer 4

A list of assessed risks prioritized according to risk evaluation criteria.