Managing Risks

  • Updated on Aug 29, 2024
  • Published on Aug 27, 2024
  • 3 minute(s) read
  • BP

Why Are Risks Relevant for GDPR or ISO 27001?

Risks play a central role in complying with standards such as ISO 27001 and the General Data Protection Regulation (GDPR). To become ISO 27001 certified, organizations must conduct a comprehensive risk assessment. This process involves identifying potential risks that could impact the business, assessing the likelihood of their occurrence, and estimating their potential impact.

Specific requirements for an ISO 27001 risk assessment include:

  • Establishing criteria for evaluating information security risks,

  • Identifying risks for all information assets within the scope of the ISMS,

  • Assigning ownership for each risk

  • Creating a repeatable, consistent risk assessment process.

Therefore, companies must accurately identify and prioritize their risks to implement appropriate protective measures.

Risk Overview

Ein Bild, das Text, Screenshot, Zahl enthält. Automatisch generierte Beschreibung

On the risk overview page, you can see the following sections:

  • Categories: For better overview, risks are categorized into their contexts.

  • Risk matrix: The risk matrix has two dimensions,

    • Impact,

    • and Likelihood.

    The score that you give each dimension for a particular risk composes the risk score. Using the risk matrix, you can filter for the risk score by clicking on the individual tiles of the risk matrix.

  • Overview: A list of the risks that you added with some info for each.

Detail View

General

  • Title: The name of the risk.

  • Description: A more detailed explanation of the risk.

  • Risk category: The context in which the risk occurs.

  • Owner: The person responsible for managing the risk in your company. This has to be someone who is operatively close to the context of the risk and can accurately assess and treat it.

Risk Description

  • Threats: What is the danger for your company?

  • Vulnerabilities: Where are weak points in your company that could be exploited?

  • Damages: What can be possible consequences of the exploitation of these vulnerabilities?

CIA Assessment

Here you can indicate which (can be more than one) pillar of the CIA triad is affected by this risk.

  • Confidentiality

  • Integrity

  • Availability

Risk Assessment

  • Likelihood: On a scale from 1 (Insignificant) to 4 (Catastrophic), how likely is it that the risk materializes?

  • Impact: On a scale from 1 (Rare) to 4 (Likely), how big would be the impact of this?

  • Risk Score = Likelihood x Impact

Risk Treatment

  • Acceptance: Does the company accept the risk, yes or no? If yes, the following two points are irrelevant for this risk.

  • Treatment Mechanism: Is the risk to be avoided, mitigated, or transferred (for example to an insurance)?

  • Controls: If the risk is to be mitigated, which controls account for this mitigation? Here you can choose from the controls that you have set up on the controls page.

  • Treatment Description: Describe the treatment mechanism concretely in your company.

Residual Risk

  • Same in principle as the Risk Assessment, considering how much the treatment lowers both Likelihood and Impact of the risk.

Notes

  • Any type of additional information that you want to include in this risk.

Documenting Risks

Our platform supports organizations by offering predefined risk categories, such as "Environmental" or "Operational," which facilitate the organization and management of risks. Kertos also provides a visual representation of risks in a two-dimensional matrix. The matrix ensures that essential information is structured for assessing compliance with standards like ISO 27001.

In the Risk tab, you have two options for adding your risks:

  • Via the catalogue, where you can find risks that are already pre-filled,

  • or manually via “Add Risk”.

Via the catalogue

  1. Select the category you want to add risks for.

  2. Select the desired risks individually or select all of them by ticking the box at the top of the list.

  3. Go back to the risk overview.

  4. In the overview, click on the risk you want to manage.

  5. Fill out the details as described in the detail view and don’t forget to click “Save” at the end.

Manually

  1. On the overview page, click “Add risk” in the top right corner

  2. You will be taken to the detail view of the new, empty risk.

  3. Fill out the details as described in the detail view and don’t forget to click “Save” at the end and don’t forget to click “Save” at the end.