Risk assessment and treatment

Objective • Risk assessment and treatment should identify, quantify and prioritize risks in light of objectives and risk criteria of the organization, and ensure steps to appropriately mitigate the identified risks in light of those objectives and risk criteria.

Risk assessment • Risk assessments should be performed, and updated at appropriate intervals, for all information facilities.  This could include:

  • systematic methods of assessing risks (threats, threat capabilities and facilities’ vulnerabilities to those capabilities);
  • systematic methods of comparing assessed risks against risk criteria;
  • periodic re-assessments to address changes in security requirements and/or in the risk environment; and
  • clearly defined scope and limitations of the analyses, including specification of the systems assessed, the means of assessment employed, and relationships with other risk assessments as appropriate.

Risk treatment • Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate administrative, technical and physical security controls.  This could include:

  • applying appropriate controls to avoid, eliminate or reduce risks as dictated by the risk analysis;
  • transferring some risks to third parties as appropriate (e.g., by insurance), or
  • knowingly and objectively accepting some risks.

Risk treatments should take account of:

  • legal-regulatory and private certificatory requirements;
  • organizational objectives, operational requirements and constraints; and
  • costs of implementation and operation relative to risks being reduced.

Risk documentation • Risk treatment choices made, and the reasons for them, should be formally documented.

SOURCES: ISO-27001/27002:2005 sects. 4.1 – 4.2.