Information Security Risk Assessment Tool
With Abriska, organisations of any size and from any sector are able to conduct threat based risk assessments on any group of information assets.
ISO 27001 is the world's leading information security management system (ISMS) Standard to which organisations can either comply or certify (auditable by a third party certification body). It is intended to be used in conjunction with ISO 27002 (previously ISO 17799) the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls. The cornerstone of both Standards is the need to build the ISMS on a sound assessment of information risks.
ISO 27001 utilises a risk assessment to ensure that the cost of any control is balanced against the risk to the organisation of a security threat.
The risk assessment needs to be robust, auditable and repeatable and must contain the following elements:
- Identify assets and the business impact associated with a breach of confidentiality, integrity and availability. This is accumplished by maintaining an asset register and conducting a Business Impact Analysis.
- Identify vulnerabilities in those assets and any threats those assets are exposed to. Abriska contains predefined lists of threats and mappings between asset types and those threats. Also the likelihood that these threats will materialise must be assessed.
- Identifying the controls that are currently implemented, Abriska also allows these controls to be rated against a maturity model
- Calculate the levels of risk, apply a consistent risk strategy and determine an appropriate risk treatement action.
- Delivering a Risk Treatment Plan (RTP) and Statement of Applicability (SoA)