The Business Process & IT Best Practices Specialist!
Contact Us
+91 9810609560

Information Security Risk Management for your ISMS


Course Overview

In today's business climate, information risk management has become a number one priority in most organizations. In addition, new legislation and the best security practices set forth in ISO 27001 and ISO-17799 point to information risk analysis and vulnerability assessment  as the cornerstone of any program designed to safeguard information assets.  Information Technology Risk assessment is an integral part of ISO 17799 / ISO 27001 information security management systems.
In this two-day seminar you will focus on risk analysis and business impact analysis (BIA) as tested methodologies for measuring the level of security risk and prioritizing information risk reduction in your organization.

Course Benefits

This 2 day workshop will enable delegates to:
  • explore the fundamentals of Risk Management & Vulnerability Assessment process & build models to fit your individual business needs
  • discover how to determine if you need a qualitative method, a quantitative method or a hybrid of the two.
  • discover how risk management can help you determine if you are meeting the security criteria set forth in HIPAA, GLBA, and Sarbanes Oxely.
  • learn how to create an atmosphere where the information risk analysis process promotes a spirit of cooperation among management, IT, business units and audit.
  • master BIA techniques you can use to facilitate managerial risk evaluations that identify the critical business processes and time frames necessary to mitigate disruption and/or loss of data and bring services back to a competitive level.At the end of this intensive seminar you will have built information risk analysis and BIA action plans and put them into practice in real-world scenarios.
  • Who should attend?
  • Business Continuity Managers
  • Disaster Recovery Managers
  • Project Managers
  • Business Analysts
  • Risk Managers
  • Consultants
  • Information Technology Managers
  • Compliance Managers
  • Information Technology Infrastructure Managers
  • Security Managers
  • Information Technology Strategic Planners
  • CIOs
  • General management who wish to acquire a broad knowledge of the relevant risk in the standards

Course Outline:

This Workshop provides answers to the key questions facing managers, technical staff and business stakeholders responsible for risk management. Based on ISO 31000 & ISO 270005, Risk management and related guidance documents, the Workshop provides a practical, step-by-step approach to developing a Risk Management Plan and implementing a Risk Management Program. A standards based information security management system includes a formal risk management plan for the organization. Risks must be identified, and dealt with by countermeasures, or contracted out to a third party or in some cases accepted by the organization as part of the normal business risk. Risk Assessment is a key tool for developing a security plan and, of course, identifying risks. In assessing the risks your company may face, you gather information to show management of the importance of a security strategy and then target key points of vulnerability and develop policies for security, and priorities for implementing the necessary levels of system security. Key Topics that would be covered in depth during the intensive two day workshop are :

Security risk assessment • Risk assessments should be performed, and updated at appropriate intervals, for all information systems. Control includes:
  • systematic methods of assessing risks (threats and vulnerabilities);
  • systematic methods of comparing assessed risks against risk criteria;
  • periodic re-assessments to address changes in security requirements and/or in the risk environment; and
  • clearly defined scope, including specification of the system(s) assessed, the means of assessment employed, and relationships with other risk assessments if appropriate.
  • risk criteria.
Security risk treatment • Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate administrative, technical and physical controls. Control includes:
  • applying appropriate controls to avoid, eliminate or reduce risks;
  • transferring some risks to third parties as appropriate (e.g., by insurance);
  • knowingly and objectively accepting some risks; and documenting the risk treatment choices made, and the reasons for them.
  • Risk treatments should take account of:
  • legal-regulatory and private certificatory requirements;
  • organizational objectives, operational requirements and constraints; and costs of implementation and operation relative to risks being reduced.
  • What will be covered?
  • Risk Management Overview - Modern risk management challenges;horror stories
  • AS/NZS 4360:2004 and related Guidelines
  • Establishing the risk management framework
  • Identifying and assessing the risks
  • Treating the risks
  • Ongoing monitoring and reporting

Workshop format.

This workshop is highly interactive, combining presentations and exercises. Working in groups, participants will create specific deliverables covering aspects of risk management. Comprehensive workbooks contain the presentation materials, supplementary notes and references to web-based resources including templates, sample documents, and checklists.