Instant 27001 demo environment
6.1.2 Information security risk assessment
Control details
| Requirement | The organization shall define and apply an information security risk assessment process that: a) establishes and maintains information security risk criteria that include: 1) the risk acceptance criteria; and 2) criteria for performing information security risk assessments; b) ensures that repeated information security risk assessments produce consistent, valid and comparable results; c) identifies the information security risks: 1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and 2) identify the risk owners; d) analyses the information security risks: 1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and 3) determine the levels of risk; e) evaluates the information security risks: 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and 2) prioritize the analysed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process. |
|---|---|
| Instruction | Write down the organization's method for risk analysis. Think:
|
| Implementation | Our risk assessment process is defined here: Risk assessment and treatment process. The metrics are defined in Risk matrix. |
Check details
| Owner | Risk manager |
|---|---|
| Frequency | Year |
| Instruction | Is the risk assessment process still accurate? Are the risk levels in the identified risks according to the process?
Is the implementation still accurate? Consult with management if needed. Report any findings below in the comments, or upload proof as attachment to this page.
|
| File | Modified |
|---|