1. Risk assessment methodology
These are definitions and rules for risk assessment and management. The methodology also defines qualitative or quantitative risk assessment, the scales for qualitative assessment, the acceptable level of risk. See Risk Assessment Report – versions 1.
2. Risk assessment implementation
IbCom approach was to list all information security risk ‘assets’, then threats and vulnerabilities related to those assets, security risk classifications, risk owner, assess the impact and likelihood for each combination of assets/threats/vulnerabilities and finally calculate the level of risk.
3. Risk treatment implementation
IbCom implemented risk controls in a priority based fashion. Not all risks are deemed equal in the organisation. A focus and priority was given to ‘unacceptable risks’.
There were four main options chosen to mitigate each unacceptable risk:
- Apply security controls from Annex A to decrease the risks
- Transfer the risk to another party
- Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
- Accept the risk (known allowable risk, monitored and controlled).