Risk Assessment Process is structured in four steps, in accordance with ISO/IEC 27001:2005:
- Defining Risk Assessment Criteria and Scope
- Risk identification and risk estimation
- Risk treatment
- Risk acceptance
Risk Assessment criteria include definition of risk assessment methodology to be used, the risk evaluation criteria, risk impact criteria and risk acceptance criteria. ARAT includes all these considerations and delivers results when Risk Manager selects risk assessment methodology. Depending on selected methodology Risk Manager may customize some of its parameters; particularly risk estimation granularity, e.g. 5 instead of 3 levels, and threshold definition for critical risks.
Scope definition requires the Process and/or Asset owner to define the information assets to be included in particular risk assessment. The assets are typically sorted in asset groups and related to business processes.
Risk identification requires defining all relevant threats and vulnerabilities pertaining to particular asset. The results of this identification are risk incidents that are relevant for situation under assessment. For each identified incident a risk has to be estimated.
All critical risks must be treated, where one of the four standardized treatments shall be applied:
- Reduce the risk
- Accept the risk
- Avoid the risk
- Transfer the risk
Also not critical risks may be treated, if desired by Risk Manager.
Each treated risk, with exception of accepted risks, must have at least one action, i.e. risk treatment measure assigned, with clear execution responsibility and deadlines.
As a final step in Risk Assessment Process, responsible Manager confirms the Risk Treatment Plan steaming out of Risk Treatment phase. The manager has of course the possibility to reject the plan and requests its corrections.