Roadmap

Risk analysis process - step by step

How to perform information security risk analysis according to ISO 27005.

SO/IEC 27005:2022 define a structured approach to the management of information security risks - identification, assessment, processing and monitoring of risks.

  1. Context
    Defines business objectives, compliance requirements, risk criteria and risk tolerance.
  2. Identification of risks
    Determine assets, threats and vulnerabilities using the principle of: active threat of vulnerability.
  3. Risk analysis
    The impact and feasibility shall be assessed qualitatively, such as:, Low / Medium / Highor quantitative, e.g, ALE = SLE × ARO.
  4. Risk assessment
    Compare the level of risk with the risk tolerance of the organisation and set priorities.
  5. Treatment of risks
    Select strategy: decrease, carry over, accept or avoid risk.
  6. Monitoring and review
    The risks and controls shall be reviewed regularly, in particular following significant changes in the organisation or the IT environment.