iso27002 entity security assessment tool kit user instruction changesv1.1
TRANSCRIPT
![Page 1: ISO27002 Entity Security Assessment Tool Kit User Instruction Changesv1.1](https://reader031.vdocuments.us/reader031/viewer/2022021315/577cc5961a28aba7119ccdbf/html5/thumbnails/1.jpg)
8/11/2019 ISO27002 Entity Security Assessment Tool Kit User Instruction Changesv1.1
http://slidepdf.com/reader/full/iso27002-entity-security-assessment-tool-kit-user-instruction-changesv11 1/2
![Page 2: ISO27002 Entity Security Assessment Tool Kit User Instruction Changesv1.1](https://reader031.vdocuments.us/reader031/viewer/2022021315/577cc5961a28aba7119ccdbf/html5/thumbnails/2.jpg)
8/11/2019 ISO27002 Entity Security Assessment Tool Kit User Instruction Changesv1.1
http://slidepdf.com/reader/full/iso27002-entity-security-assessment-tool-kit-user-instruction-changesv11 2/2
Company impact assessment
Column 5 is where you mark your assessment of the likely impact on the organization if this vulnerability where
to be exploited. Impacts are measured in financial terms, and should include all the likely direct, indirect and
consequential costs of the impact, including time taken to restore normal operations, lost business, etc. Again, thethree options are high (red), medium (yellow) and low (green). Again, you should assess the likely impact for all
questions, not simply those that are red.
Conclusion
The ideal information security posture will be represented by a completely green column 2 and few if any
comments in column 3. The likelihood is that columns 4 and 5 will both contain a large number of reds.
Prioritization
Most organizations will have one or more areas in which they are not compliant with the risk question, and thelikelihood of exploitation and its probable impact are high – red across the row, in other words. If there is only
one such row, the security controls associated with it should be implemented as a priority. If there are more than
one such rows, you will have to compare the total financial impact for each and prioritize on the basis of tackling
the most significant area of danger first. It can be appropriate, in such circumstances, to include an assessment of
the likely cost of implementing the control and to prioritise dealing with the areas in which the potential net cost
(cost of impact less cost of control) is highest.
It is not unusual for organizations to discover that they have implemented controls for which there is no
corresponding risk probability and, unless you carry out the exercise as indicated in these instructions, you maynot uncover this situation. Wasting money on unnecessary controls is equally bad for the organizational ISMS as
having dysfunctional controls. Those risk questions for which your compliance answer is green, but for which
the probability and impact of an attack are low, may be areas in which you have over-invested in controls. You
will need to investigate these in more detail to see if there are options for reducing the level of control and
investing the released funding elsewhere.
The tool is as helpful as you are honest.