Risk analysis process - step by step
How to perform information security risk analysis according to ISO 27005.
SO/IEC 27005:2022 define a structured approach to the management of information security risks - identification, assessment, processing and monitoring of risks.
- Context
Defines business objectives, compliance requirements, risk criteria and risk tolerance. - Identification of risks
Determine assets, threats and vulnerabilities using the principle of: active threat of vulnerability. - Risk analysis
The impact and feasibility shall be assessed qualitatively, such as:, Low / Medium / Highor quantitative, e.g, ALE = SLE × ARO. - Risk assessment
Compare the level of risk with the risk tolerance of the organisation and set priorities. - Treatment of risks
Select strategy: decrease, carry over, accept or avoid risk. - Monitoring and review
The risks and controls shall be reviewed regularly, in particular following significant changes in the organisation or the IT environment.