Risk analysis methodology and process
secunet can draw on various standardized procedures/methodologies for performing risk analyses. Here, the requirements of the standards ISO/IEC 27001, ISO 31000 / ISO 9001 , and, if necessary, industry-specific requirements (e.g. ISO27019 - power grid operators, DIN VDE V 0832-700 - road traffic signal systems)... are taken into account.
In addition to defining the methodology, it is necessary to establish a risk management process. For this purpose, persons responsible for the assessment, the execution of the analyses and the selection of measures are defined. Furthermore, it must be ensured that risk analyses are repeated regularly and must also be implemented again in the event of significant changes within or in the environment of the organization (e.g., due to projects, change of service provider, adjustments to the IT infrastructure).
In the case of data protection, additional requirements arise due to the GDPR, e.g., due to the inclusion of the processing directory and the assessment from the perspective of the private individual.
Risk analyses in business continuity management are characterized by the link to a time factor. Here, the focus is on identifying the measures that lead to the rapid (depending on requirements) elimination of impairments (keyword: emergency).
In addition, secunet cooperates with various GRC tool manufacturers that enable tool-based risk management.
Support with risk analyses
Even if the methodology and the process have already been defined, secunet is happy to provide support in carrying out risk analyses, e.g. by means of moderation and expertise, in order to provide the experts with the necessary basis for being able to assess hazards correctly or to define/work out countermeasures.