Risk assessment

The core of compliance with ISO 27001 is a risk assessment. CyberComply can perform scenario-based, asset-based and mixed risk assessments, but the requirements of ISO 27001 generally mean that an asset-based approach is best.

Before performing an asset-based risk assessment, an organisation needs to define and record its assets as described in the previous section. Once the assets are within CyberComply, the risk assessment can be done.

Click the Menu button and then Risks to start.

Risks are nested within risk assessments. Each assessment may contain multiple risks. Each risk has the following attributes:

• The likelihood of the risk affecting the organisation and/or data subjects.
• The impact of the risk on the organisation and/or data subjects.
• The asset (or asset class) that the risk affects.
• The threat that causes the risk.
• The vulnerability that allows the threat to apply.
• The information security principle that the threat endangers (i.e. confidentiality, integrity and/or availability).
• The organisation’s response to the risk, including any controls.
• The residual risk and impact after the organisation’s response has been applied.

The scale for likelihood and impact can be customised for each risk assessment. Each risk within a risk assessment must use the same scale for these attributes.

Note that CyberComply contains a substantial library of risks that can be added to an assessment. These risks each have the following already detailed:

• Asset
• Threat
• Vulnerability
• Controls (including relevant ISO 27001 controls)

Updated on: 17/06/2024