Professional Documents
Culture Documents
NIST, ISO and IG Toolkit
NIST, ISO and IG Toolkit
Framing risk: What is the organization’s risk tolerance, and how does it make decisions about risk?
Assessing risk: What are the values for the risk equation and results.
Responding to risk: what alternatives will be chosen to address risk?
Monitoring risk: How will respond to any impacts of risk mitigation activities?
ISO and IG Toolkit
• Started 1947.
• it has published 19,500 standards for business and technology industries.
• ISO 27000 & 27001: Information Security Management Risk Management Systems (ISMS).
• Secondary ISO 27005: Risk Assessment.
• Applicable to any sized organization or mission.
• Identifying opportunities and threats.
• ISO 27000 family addresses about risk:
Avoid: Do not do the action causing the risk.
Accept: The probable cost of the occurrence is less than the value of the objective.
Retain: Provided informed consent and potential loss are minimal, you can budget for risk.
Remove: Remove the vulnerability or source of risk.
Change: Change the likelihood of occurrence.
Share: Share the cost through insurance, contracting, or other third party agreement.
• Use: control variance, partial compliance, and remediation activities can be documented, tracked, and communicated.