On page 7 of the Risk Assessment it was stated that SHGTS has never had a Risk Assessment before. This means that there was no policy in place to address the need for one.
Section 4.1 of ISO 27002:2005 says that risk assessment needs to be done periodically in a methodological manner (ISO/IEC 27002, 2005).
Since the policy does not exist, then the acceptable risk posture of the organization does not exist in such policy either.
The risk assessment discusses different levels of risk in the findings section on page 19. However acceptable risk was not determined.
Section 4.2 of …show more content…
Section 4.1 of ISO 27002:2005 Recommends that risk assessment should be done periodically to identify and choose a correct way to handle it. This justified that it should be included in the policy (ISO/IEC 27002, 2005).
Since a policy does not exist, therefore a section on multi-perspectives also does not exist. However, a policy is needed to address the concerns in the risk assessment.
These concerns are listed in the Threat sources and Threat action section of the risk assessment on pages seventeen and eighteen. While Vulnerability space on assets and their impact can be seen on pages nineteen to twenty four. This section has valuable information to help in creating a needed policy.
As justification, I will make reference to the ISO 27002:2005 which in section 4.1 recommend multi-perspectives on risk be included in the ISMS. These perspectives includes Threat, Asset, Vulnerability and impact (ISO/IEC 27002, 2005) .
Since this policy does not exist, then there is no policy for include reporting results …show more content…
This justifies that the results of the risk
Assessment should be included in the report (ISO/IEC 27002, 2005). Since this policy does not exist, then no section would have existed to include a remediation analysis report.
The risk assessment does not specifically mention the need for a remediation report in the policy. However, there are many recommendations that would aid in creating a report.
Section 14.1.2 of ISO 27002:2005 recommends that a strategy be put in place to address the threats posed by elements of the risk assessment. For this to happen, a remediation analysis report must be included in the policy. Without it this process will be overlooked (ISO/IEC 27002, 2005).
Procedures A procedure does not exist about implementing and enforcing a risk management policy. However the risk management assessment lacking this to help to address the risks identified.
On page 7 of the Risk Assessment stated that this is the first Risk Assessment done. This means that a procedure has not been implemented to enforce risk