RISK Assessment and Treatment Plans.
Risk is a major component of the 27001 standard. Berbridge has established a methodology that ensures that this is not just a paper exercise. Along with the compliance components required for certification, we provide a report that give valuable risk feedback that can be utilized for strategic decision making.
Risk Assessment.
The risk assessment is considered a major component of the Information Security Management System. Addressing Risks and Opportunities has replaced Preventative Actions in previous iterations of the Management System Standards. For your 27001 certification not having performed a risk assessment will raise a Major Nonconformity which will stop the audit.
The risk assessment it far from an isolated process. Prerequisite for running a risk assessment include completing an asset inventory, establishing a Statement of Applicability (SoA), identification of risk mitigating controls that align with the requirements of applicable Annex A controls, and the identification of your organizations risk tolerance.
In short, you don’t need a risk assessment, you need a risk program and Berbridge can help you get there.
27001 Risk Compliance
Ubiquitous throughout, it’s not hard to see that ISO 27001 is a risk based standard. Several processes and mechanisms are required by the standard to ensure risk is identified, owned, measured, analyzed, and mitigated in accordance with the 27001 controls. A risk acceptance criteria needs to be established and risk treatment plans along with residual risk needs to be formally accepted by risk owners.
This may sound like a lot of work, but by utilizing Berbridge’s Risk Management Methodology, it’s easy to see how all the parts work in concert in a common sense yet comprehensive way.