Security Insight
Particularly the risk analysis is a dominant and essential instrument to determining our present risk-position. ISO 27001 identifies 14 risk-domains. The risk assessment will assign a certain risk level to each domain. COBIT categorizes 0-5 maturity (process) levels. We use these COBIT levels 0-5 to indicate risk-level.
Risk assessment is being performed by a standard method. A specific tool is being used. During the Business Impact Analysis a map is being created of critical business processes, their relationships and exposure to threats. The gravity of risk is depicted like this:
A list of 56 threats is combined with 114 ISO 27001 countermeasures or controls. The analysis produces in a systematic way countermeasures to reduce risk.
The following diagram is of key importance: it is a graphical presentation of the actual risk condition of an organization
This diagram will be discussed with management. The COBIT overall maturity / security target has to be determined. In the diagram this is illustrated by shifting the dotted horizontal ruler up or down. Up is increased security / controlled processes, while down means decreased security. Depending on management’s risk apetite, Omnisecure will assist to prioritize implementing controls in particular risk domains. The ultimate goal is to improve the risk situation of the company resulting in all orange squares to be above the dotted ruler. In this particular case domains 4,6,11 and 13 require implementation of controls.