Risk Assessment (ISO 31000)
In order to help organizations define and implement a strategy of Analysis and Risk Assessment various methodologies have been created in recent years which propose structured and systematic methods to identify, assess and manage risks.
These methodologies allow undertake these tasks by providing recommendations and best practices whose effectiveness is established by experience, so that organizations can adapt and apply to their own idiosyncrasies.
Risk Assessment is the core of the Government and the Organization Management and its correct application determines the validity and usefulness of the whole project, so it is necessary to put special emphasis on this phase.
There are different methodologies that propose systematic and structured methods to identify, assess and manage risks, ISO / IEC 31000, MAGERIT v3.0, ISO / IEC 27005 but generally the objectives are:
- Get a model of the value of the system, identifying and evaluating relevant assets.
- Get a map of risks in the system, identifying and assessing threats to those assets.
- Have knowledge of the current situation of security controls.
- Evaluate the potential impact on the system, both the potential impact and the residual impact.
- Show to address the areas of greatest impact and / or risk.
- Reduce service time
- Ensure the operational continuity of the organization, properly handling critical threats and risks
- Maintain a protection strategy and risk reduction
- Continuous improvement of information security
- Minimize the impact with cost reduction which includes loss of money, time and labor