ASSIGNMENT 2 FRONT SHEET
Qualification

BTEC Level 5 HND Diploma in Computing

Unit number and title

Unit 5: Security

Submission date

Date Received 1st submission

Re-submission Date

Date Received 2nd submission

Student Name

Student ID

Class

GCH1006

Assessor name

Ha Trong Thang

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that

making a false declaration is a form of malpractice.
Student’s signature
Grading grid

P5

P6

P7

P8

M3

M4

M5

D2

D3



❒ Summative Feedback:

❒ Resubmission Feedback:

2.1


Grade:
Lecturer Signature:

Assessor Signature:

Date:

Table of Contents
Introduction................................................................................................................................................................. 4
Task 1. Discuss risk assessment procedures (P5)........................................................................................................5
1. Risk..................................................................................................................................................................... 5
2. Risk assessment...................................................................................................................................................6
3.Define assets, threats and threat identification procedures, and give example......................................................9
4.Explain the risk assessment procedure................................................................................................................11


5. List risk identification steps...............................................................................................................................13
Task 2. Explain data protection processes and regulations as applicable to an organization (P6)..............................15
1. Define data protection.......................................................................................................................................15
2. Explain data protection process in an organization............................................................................................16
3. Why are data protection and security regulation important?..............................................................................17
Task 2.1. Summaries the ISO 31000 risk management methodology and its application in IT security (M3)...........19
1. Definition ISO 31000........................................................................................................................................19
2. What was in ISO 31000.....................................................................................................................................19
2.4.Process..........................................................................................................................................................21
2.5.When ISO 31000 will be use?.......................................................................................................................22
2.6.Applications of ISO 31000 in IT...................................................................................................................22
Task 2.2. Discuss possible impacts to organizational security resulting from an IT security audit(M4)....................27
1. Define IT security audit.....................................................................................................................................27
2. What possible impacts to organizational security resulting from an IT security audit.......................................29

3. Provide a practical example for each of these impact........................................................................................31
Task 3. Design and implement a security policy for an (P7).....................................................................................32
1. Define a security policy and discuss about it.....................................................................................................32
2.Discuss about security policy.............................................................................................................................33
3. Give an example for each of the policies...........................................................................................................36
4. Give the most and should that must exist while creating a policy......................................................................37
4.1 The most must exist while creating a policy.................................................................................................37
4.2 The most should exist while creating a policy..............................................................................................37
4.3 Example some of a few policy......................................................................................................................37
5. Explain and write down elements of a security policy.......................................................................................38
6. Give the steps to design a security policy..........................................................................................................39
Task 4. List the main components of an organizational disaster recovery plan, justifying the reason for inclusion
(P8)............................................................................................................................................................................ 40
1.Discuss with explanation about business continuity...........................................................................................40
2.List the components of disaster recovery plan....................................................................................................41
3.Write down all the step required in disaster recovery process............................................................................42
4. Explain some of the polices and procedures that are required for business continuity.......................................44
Task 4.1. Discuss the roles of stakeholders in the organization to implement security audit recommendations(M5) 46
1. Define stakeholders...........................................................................................................................................46


2. What are their roles in an organization?............................................................................................................47
3. Define security audit and state why you need it.................................................................................................48
4. Recommend the implementation of security audit to stakeholders in an organization.......................................50
Conclusion.................................................................................................................................................................52
References................................................................................................................................................................. 53

Introduction

- Data frequently circulates freely between individuals, organizations, and enterprises in today's data

driven and globally networked world. Data has a great monetary value, and cybercriminals are fully aware
of this. Due to the ongoing rise in cybercrime, there is an increasing need for security experts to protect
and defend businesses. This report will go over some essentially core ideas of security, including
examining risk assessment techniques, outlining data protection procedures and laws as they apply to a
business, and creating a security policy for an organization. It also examines and justifies the inclusion of
a list of the primary organizational disaster recovery plan components.


Task 1. Discuss risk assessment procedures (P5)
1. Risk
1.1 Definition.
Risk in cybersecurity refers to the possibility of asset or data loss, damage, or destruction. A threat
is a bad thing that happens, such as when a vulnerability is exploited. A vulnerability is a flaw that makes
you vulnerable to danger and raises the possibility of unfavorable outcomes. Therefore, your assets, data,
or company may be in danger when a threat attacks a weakness in your IT infrastructure, network, or apps.
Risk is the possibility that an asset will suffer a loss. The degree of exposure to an event is what affects an
asset. A computer, a database, or a piece of information can all be considered assets in the context of IT
security. Here are some instances of risk:
+ Losing data
+ Losing business because a disaster has destroyed your building
+ Failing to comply with laws and regulations

Vulnerability management (VM) solutions' role is to assist enterprises in managing cybersecurity
risk. The "everything is a risk" mentality that permeates traditional VM forces security and IT teams to
prioritize and fix an ever-growing list of vulnerabilities, many of which don't truly endanger the enterprise.


This wastes time, money, and resources and frequently causes a wedge between IT and DevOps teams,
who must remediate without context or meaningful priority, and Security teams, who must struggle to
prioritize what is most critical in a meaningful way. Teams are ultimately unable to produce thorough or

accurate reports of their efforts, and risk is not reduced.
1.2 Negative school
+ Risk is unpleasant, undesirable, and unforeseen.
+ Risk is the potential to experience discomfort or danger.
+ Risks are unknown uncertainties that occur in a company's activities and production procedures and
have a detrimental effect on the capacity of the firm to continue operating and expanding.
+ According to popular knowledge, risk is simply described as "damage, loss, danger, or elements related
with danger, difficulty, or uncertainty that can happen to a person."
1.3 The neutral school
+ Risk is measurable uncertainty that could be linked to the occurrence of unforeseen events; both the
risk's current value, as well as its outcome, as well as its outcome are uncertain.

2. Risk assessment
2.1. Define :
- The word "risk assessment" refers to the whole procedure or approach where you:
+ Determine the dangers and risk factors that might lead to injury
+ Analyze and assess the risk brought on by the hazard (risk analysis, and risk evaluation).
+ Find suitable strategies to reduce the risk or, if the danger cannot be reduced, remove it (risk control).
- A risk assessment is a detailed examination of your workplace to find any elements, circumstances,
procedures, etc. that might be harmful, especially to humans. Following identification, you assess the
risk's likelihood and seriousness. You can then decide what steps need to be taken to successfully remove
or control the harm after this assessment has been reached.
2.2. How does risk assessment works :
+ Size, growth rate, resources, and asset portfolio are some of the variables that impact how in-depth risk
assessment models are. Organizations could carry out generic reviews when faced with financial or time
constraints. On the other side, generalized evaluations could not necessarily contain exact mappings of
assets, linked threats, known risks, consequences, and mitigation strategies. If the results of the broad
assessment do not sufficiently connect these areas, a more in-depth study is necessary.
2.3 The goal of risk assessment is to :
+ Analyzing potential dangers;

+ Preventing diseases or injuries;
+ Adhering to legal obligations;


+ Analyzing potential dangers;
+ Making a thorough inventory of the resources that are accessible
+ Defining the budget for risk mitigation
+ Justifying the expenses of risk management
+ Defining the budget for risk mitigation
+ The production infrastructure and assets of the organization are subject to defined, prioritized, and
documented risks, threats, and known vulnerabilities. putting up a budget to deal with or lessen the risks,
dangers, and vulnerabilities that have been identified.
+ It's crucial to comprehend the return on investment if funds are put in business assets such as
infrastructure or other assets to reduce potential risk.

2.4. 5 steps in the risk assessment process :
- Step 1: Identify the hazards
+ Is to identify the risks that your staff and business face, such as:
+ Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.)
+ Biological hazards (pandemic diseases, foodborne illnesses, etc.)
+ Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical
breakdowns, etc.)
+ Chemical hazards (asbestos, cleaning fluids, etc.)
- Step 2 : Determine who might be harmed and how
+ Consider how business operations or outside influences may hurt your staff when you take a look
around your company. Consider who will be injured if each of the hazards you identified in step one
comes to pass.
- Step 3 : Evaluate the risks and take precautions
+ You must take into account both the probability that the hazard will occur and the severity of the
repercussions if it does. This assessment will assist you in deciding where risk should be reduced and

where dangers should be given priority.
- Step 4 : Record your findings
+ The rules require you to document your risk assessment procedure. The risks you've identified, the
individuals they affect, and your mitigation strategy should all be included in your plan. The document, or
the risk assessment plan, should attest to the following:
+ Thoroughly examined your workspace
+ Ascertained who would be impacted
+ Handled any evident problems


+ Started taking actions to minimize risks
+ Maintain employee involvement throughout the process.
- Step 5 : Review your assessment
+ Because your workplace is always evolving, so do the threats to your business. Each time new tools,
procedures, or personnel are used, there is a chance that a new danger may arise. To keep up with these
emerging risks, you should evaluate and update your risk assessment procedure often.

2.5. How to do risk assessment?
- IT agent can approach risk assessment in two ways :
- Qualitative :
+ Risks are ranked according to their likelihood of happening and effect on company operations in
qualitative risk assessment. Impact is the level of danger that a true threat might represent. Impact is
sometimes stated as a range of values, from low (insignificant) to high (catastrophic). Although qualitative
risk analyses can be rather subjective, they do aid in identifying the most important threats. This kind of
evaluation encourages the use of relative words and calls for varied feedback from individuals who work
in various areas. A qualitative evaluation could inquire as to which dangers are more dangerous than
others. This enables the technical specialists and business units to comprehend how an occurrence may
affect various operations or departments - Quantitative :
+ By assigning a monetary value to each risk, this kind of risk assessment aims to define risk in financial
terms. Unlike a qualitative analysis, it is more impartial. Numerous hazards have values that are hard to

quantify, which is a downside of this strategy. The availability of countermeasures and reputation are a
couple of these. Particularly when estimating the cost of the impact of upcoming events, exact figures
might be challenging to calculate. As opposed to qualitative evaluations, quantitative risk assessments are
simpler to automate.


3.Define assets, threats and threat identification procedures, and give
example
3.1 Definition of Assets
- An asset is a resource that belongs to a person or business and has economic worth. This comprises
money, tools, things, rights, or anything else that enables a business to make money or save costs.
Because assets are what businesses rely on to run and turn a profit, they are crucial. Along with liabilities
and equity, it is one of the three ideas that make up the basic accounting equation.
- In information security, computer security, and network security, any information, gadget, or another
framework element that facilitates information-related operations is a benefit. A few examples of assets
include hardware (such as servers and switches), software (such as mission-critical applications and
support systems), and confidential data. Assets must be safeguarded against unauthorized use, disclosure,
alteration, destruction, and/or theft that might cause a loss of funds.
3.2 Definition of Threats
- Any situation or event that may have the potential to negatively affect an organization's operations
(including its mission, functions, image, or reputation), assets, or people through the use of an
information system, whether through unauthorized access, information destruction, disclosure,
modification, or denial of service. A threat source's capability to successfully exploit a certain
information system vulnerability is another consideration. A threat is anything that has the potential to
seriously harm a computer system, networks, or other digital assets of an organization or person.

3.3 Threats Identification Process
- To discuss the daily activities to be accomplished, pre-work meetings should be organized. Employees
should be urged to be aware of potential hazards and to report them.
- Audit workplaces and examine for safety

- Perform a JSA and employ hazops, if possible. Any unique techniques, components, or structures must
to be assessed.
- Examine the product's safety information, as well as any publicly accessible data. Look for reports on the
prior event and close calls.
3.4 Example of Threats Identification Procedures
- Threat identification in document


+ Failure of storing data and absence of document backup
+ When anti-virus software is out-of-date or has several security flaws, a vulnerability is created by a virus
(possible confidentiality, integrity and availability loss)
Threat identification includes unauthenticated access from an unidentified site, an inadequately developed
access control scheme, and SQL injection from an unidentified source (possible confidentiality, integrity
and availability loss)
+ An issue is unauthorized access. Too many people were given access, which led to a vulnerability
(possible confidentiality, integrity and availability loss)
- Threat identification in Physical document
+ Threats include fire and hurricanes; the document's vulnerability is that it is not kept in a fire-proof
protective box .Threats include earthquakes, fires, and other calamities, and there is no paper backup for
these records (possible availability loss)
+ A flaw is that a vital document is not locked and kept in a safety box, which might result in secrecy
being lost.

4.Explain the risk assessment procedure
- A qualified individual or group of individuals with in-depth knowledge of the topic at hand should
conduct a risk assessment approach. Because they are most familiar with the process being evaluated,
managers and employees who work with it should be a part of the team or employed as information
sources. The following are risk assessment procedures :
4.1 Asset Identification
- The asset register : Inventory assets are finished goods, parts, or raw materials that an organization

expects to sell. In accounting, inventory is included on a company's balance sheet as a current asset.
Assets from manufacturing inventories operate as a cushion in the event of a rise in demand.
- Recording an asset's attribute and determining the asset's relative value
4.2 Threat Identification
- Users are then able to make decisions about how to defend your business once you have recognized the
risks that might potentially represent a danger to it and ascertained the likely magnitude of any resulting
loss. Users can discover a sizable number of potential hazards to your business after doing a risk
assessment. These might include break-ins, vandalism, theft, or other occurrences that differ from one
business to the next. Any more risk management-related tasks might appear unachievable as a result.
- Divide threats into groups : a security threat is a harmful act carried out to steal, corrupt, or interfere
with data, the systems of an organization, or the entire firm.
4.3 Assessment of Vulnerability
- An information system's security flaws are systematically examined during a vulnerability assessment. It
determines if the system is vulnerable to any known flaws, rates the seriousness of those flaws, and
suggests correction or mitigation as necessary.
- Example of threat that can be prevented :


+ Code injection attacks include SQL injection, XSS, and others.
+ Increase in privileges as a result of inadequate authentication methods.
+ Software that has default settings that aren't secure, including admin passwords that are easy to guess.
4.4 Risk assessment
- Determine the impact of the organization's vulnerability:
+ All facilities are at risk to varying degrees due to various dangers. These risks might develop as a result
of natural disasters, mishaps, or malicious actions intended to hurt. Facility owners must minimize or
otherwise mitigate the risks brought on by these dangers, regardless of the nature of the threat.
- Assess the chances that the weakness will be exploited :
+ Having noticed that there has been a lot of interest in applying probability in more conventional risk
assessments. This section introduces some fundamental ideas in probability and demonstrates how to use
them to carry out seven operations.

- Make a plan and a decision to what to do with risk
- It's important to remember that the evaluation must take into account all potential possibilities in
addition to the workplace's current situation. By assessing the level of risk connected to the hazard, the
employer and the health and safety committee can decide if and to what extent a control program is
required.

5. List risk identification steps
- Step 1 : Risk statement
+ The process of identifying hazards necessitates gradually compiling a list of dangers and characterizing
them. The information is referred to as a risk statement when it is written down. A risk statement explains
what could occur, why it might, when it might happen, and how it might affect the goal. Additionally, it's
ideal if you describe the type of dangers.
- Step 2 : Basic identification
+ Providing answers to two concerns about potential risks: why or why not us, and whether or not they
have been experienced before. While the latter should come from a project postmortem or lessons learned
library, the former may be obtained through a SWOT analysis approach.
- Step 3 :Detailed identification
+ This phase tries to investigate the hazards you identified in the earlier phases in more detail. You can
perform the task with the aid of four tools:
+ Assumptions analysis, interviewing, document reviews, and brainstorming
+ Interviewing,
+ Document reviews
+ Brainstorming
- Step 4 : External cross-check


+ It's time to broaden your list of hazards after compiling one based on the suggestions and expertise of
your project team. You can use the external cross-check step to determine whether there is pertinent
information accessible outside of the project. Checklists and categories are two resources you may use to
undertake external cross-checking.

+ A checklist is a collection of common industrial dangers, their root causes, and typical effects. They
frequently provide potential answers as well.
+ Risks are listed in categories, which are collections of risks that may include subcategories. The "Risk
Breakdown Structure," or RBS, is an illustration of a technique for producing categories. By using this
method, you categorize each danger. The following are some examples of categories: technical,
operational, commercial, and planning. Then you further go into each area.
- Step 5 : Internal cross-check
+ Mapping to a work breakdown structure, or WBS, a project document that describes the processes
necessary for the project's completion, is the initial stage of internal cross-checking. Prior to selecting any
hazards, ascertain which WBS element corresponds to the risk on your list. When your marketing team is
developing a new label, for instance, a potential delay might effect when you can send your goods.

- Step 6 : Statement finalization
+ The following action is to ascertain whether any components are lacking before finalizing your risk
statement. Check the document's correctness by reading it again. It could be beneficial to read the message
aloud to a few more team members.
- Brainstorming : Using this method, group participants are asked for their unstructured feedback during a
meeting. All participants should feel free to make recommendations without concern for rejection or
mockery, according to the facilitator.
- Surveys : Employers that using this strategy provide participant lists of prepared questions for feedback.
To receive the greatest feedback, a range of persons from various organizational departments should be
selected. When using the Delphi approach, survey results are randomized, made anonymous, and then
given back to participants for feedback. Maintaining anonymity encourages more honest communication.
- Interviews : Conducting one-on-one or in-group interviews can be a useful strategy for learning more
about hazards from the interviewee's point of view.
- Working groups: This method focuses on getting input from a group of people chosen from a certain
work area. In general, the input working groups offer aids in identifying risks in certain areas.
- Lists : Many firms create risk checklists for either internal usage or public disclosure. To make sure you
cover the range of hazards, checklists created for comparable companies or objectives might be useful.
- Historical information : A company, unless it is brand-new, will have access to some past data. This

information might be a procedure for identifying risks that have already been faced, or it could represent
records of prior mistakes. In any case, using past data to pinpoint current dangers might be useful.


Task 2. Explain data protection processes and regulations as
applicable to an organization (P6)
1. Define data protection
Data protection is the act of preventing crucial data from being corrupted, compromised, or lost
and giving the capacity to restore the data to a useable condition in the event that something were to
happen to make it unavailable or inaccessible. Data protection ensures that information is not tampered
with, is only available for permitted uses, and complies with any applicable legal or regulatory
requirements. Data that has been protected must be accessible when needed and useable for the intended
function. However, the definition of data protection encompasses more than just the idea of data
availability and usefulness; it also includes concepts like data immutability, preservation, and
deletion/destruction.
+ Brainstorm recognizes the value of protecting individual privacy, it has put in place a data
processing policy designed to ensure the highest level of security in the use and collection of personal
data, as well as to ensure compliance with applicable laws. This policy is one of the fundamental pillars
supporting the entity's strategy. In accordance with the General Data Protection Regulation of the
European Union, Brainstorm has implemented technical and organizational measures to prevent loss,
misuse, alteration, unauthorized access, and theft of personal data that could assist stakeholders in
accessing the various sections of the Brainstorm website (GDPR).
According to the Figure below, traditional data protection (such as backup and restoration copies),
data security, and data privacy are three major areas that make up data protection. The methods and tools
employed to safeguard data may be viewed as business procedures and data protection mechanisms that
help to achieve the overall objective of maintaining the immutability and continuous availability of crucial
business data.
-

2. Explain data protection process in an organization

- It is preferable to assist an organization understand data protection by providing instructions when we
explain it to them. The GDPR's numerous requirements may be reduced to one straightforward demand:
make sure the data is secure. If you succeed in doing that, you will have a lot less to worry about and will
find it much simpler to resolve any further problems that may occur. I have chosen to develop a list of the
most often used data protection strategies. Some of these strategies are even included in the legislation
itself.


+ Risk Assessment :
+ Data must be given greater protection the riskier it is. While low-risk data can be protected less,
sensitive data should be rigorously secured. These evaluations are mostly driven by financial
considerations because improved data security entails higher costs. However, it is a useful test to identify
which data needs to be protected more closely and improves the effectiveness of the entire data processing
system.
+ Your risk assessment should consider the possible consequences of a data breach as well as the
likelihood that one will occur. The more sensitive the data is, the bigger the danger on each of these axis.
A data protection officer (privacy officer) may frequently aid you with these evaluations by assisting you
in setting up sound ground rules. Unless you are quite convinced that you know what you are doing, avoid
doing anything on your own. Losing mischaracterized data might have devastating results.
+ Backups
+ Backups are a way to stop data loss, which can frequently happen as a result of human mistake or
technological failure. Backups should be created and updated often. Regular backups come at a cost to
your organization, but possible disruptions to your everyday operations might be considerably more
costly. Backups should be carried out in accordance with the aforementioned principle: sensitive data has
to be backed up more often than data of low relevance. Such backups have to be kept in a secure location
and may want to be encrypted. Never put private information in the cloud. As directed by the
manufacturer, periodically inspect storage media for degradation. Also, make sure to preserve them in
accordance with official instructions.
+ Encryption
+ Every step of the process, high-risk data is the top candidate for encryption. This applies to data

collection (online cryptographic techniques), processing (full memory encryption), and archival (RSA or
AES). Data that has been properly encrypted is intrinsically safe; even in the event of a data breach, the
data will be worthless and impossible for attackers to retrieve. Because of this, encryption is even
specifically referenced in the GDPR as a technique of data security, indicating that using it properly will
earn you favor with the authorities.
+ Pseudonymisation
+ Another strategy promoted by the GDPR to improve data security and individual privacy is
pseudonymization. It involves removing personal information from data snippets and is effective with
bigger data sets. For instance, you may substitute randomly generated strings for people's names.
Therefore, it is difficult to connect a person's identify to the data they provided. In order to correctly
pseudonymize their data, institutions and schools should be well-versed in the process.
+ Access Control
+ Adding access restrictions to your business' process is a highly effective way to reduce risk. The
chance of a data breach or loss is lower the less persons who have access to the data. Create a clear and
simple data protection policy detailing the procedures, duties, and obligations of each employee with the
assistance of your data protection.

+ Destruction


+ It could be necessary at some point to delete the data you now have. Although it might not appear to
be a protective strategy at first, data deletion is one. This safeguards the data from unauthorized access and
recovery. You are required by the GDPR to erase any data you no longer need, and sensitive data requires
more thorough destruction procedures.

3. Why are data protection and security regulation important?
-

Data protection is crucial because it shields an organization's information against fraud, hacking,
phishing, and identity theft. Any business that wishes to function efficiently must create a data

protection plan to secure the security of its information and preserving and protecting data from
various risks and under various conditions is the main idea and significance of data protection.

-

The significance of data protection grows along with the amount of data being generated and
stored. Cyberattacks and data breaches can have catastrophic consequences. Organizations must
proactively safeguard their data and often upgrade their security protocols.. Not to mention the
logistical and monetary repercussions of a data breach. To analyze the damage, make repairs,
figure out which business procedures went wrong and what has to be fixed will cost time and
money.

-

Data security was given a new degree of significance by the data protection and security law,
which made it not only a commercial need but also a legal one.

-

Ensuring availability and integrity is important and you cannot undo a confidentiality

-

Confidential information security controls are among the most significant categories of security
measures. Although ensuring confidentiality is given priority, ensuring availability and integrity is
as crucial. This is so that a confidentiality violation cannot be corrected. In other words, once
someone observes sensitive information, it cannot be erased from their mind. To safeguard your
company's data asset, you must pay close attention to each of the three information security
principles.



Task 2.1. Summaries the ISO 31000 risk management methodology
and its application in IT security (M3)
1. Definition ISO 31000
- Risk management programs in a number of sectors use the security analysis method defined as ISO
31000 (often referred to as a risk management process). It helps create a formal and consistent process by
standardizing the steps users take to assess and manage risk. A corporation as a whole, as well as specific
divisions, initiatives, and activities, may use risk management at any time and at different levels.

2. What was in ISO 31000
2.1 Scope
- Any organization, regardless of size or sector, may apply the global risk management standard ISO
31000. ISO 31000 may be utilized to accomplish any and all goals at all levels and divisions of a
corporation. It may be used in all kinds of activities and at the organizational or strategic level to support
decision-making.
- The company needs to specify the range of its risk management initiatives. The risk management process
may be used at several levels (such as strategic, operational, program, project, or other activities),
therefore it's critical to understand the scope of the process, the pertinent objectives to take into account,
and how they connect with organizational goals.
- The following factors should be taken into account when planning the strategy:
+ the goals and decisions to be made
+ the results anticipated from the steps to be taken in the process
+ the time, location, and specific inclusions and exclusions
+ the appropriate tools and techniques for risk assessment
+ the resources needed, the duties to be carried out, and the records to be kept


+ relationships with other projects, processes, and activities.

2.2 Principles


2.3 Frameworks
- The risk management framework's goal is to help the company incorporate risk management into crucial
tasks and operations. Integrating risk management within the organization's governance, including
decision-making, is essential for its efficacy. Stakeholders, in particular senior management, must support
this. The integration, design, implementation, evaluation, and improvement of risk management across the
enterprise are all included in framework development. The company needs to assess the effectiveness of
its current risk management procedures and practices, identify any gaps, and fill those holes within the
framework. The framework's elements and how they interact should be tailored to the organization's
requirements.

2.4.Process
In the risk management process, rules, procedures, and practices are applied systematically to the
tasks of consulting and communicating, setting the context, and evaluating, treating, monitoring,
reviewing, documenting, and reporting risk.


+ The organization's structure, operations, and procedures should all include the risk management
process as an inherent element of management and decision-making. It can be used at the project,
program, or operational levels. The risk management process may be used in a variety of ways inside an
organization, each one tailored to achieve specific goals and fit the particular internal and external context.
Throughout the risk management process, it is important to take into account the dynamic and changeable
character of human behavior and culture. Despite frequently being described as sequential, the risk
management process is actually iterative.
Communication and consultation : The goal of communication and consultation is to help
interested parties understand risk, the rationale behind decisions, and the causes for the necessity of certain
actions. While consultation entails gathering input and data to assist decision-making, communication
aims to increase risk awareness and comprehension. Close cooperation between the two should make it
easier to transmit information that is truthful, timely, relevant, accurate, and intelligible while also taking
into account information's integrity and confidentiality as well as people' right to privacy. Throughout

each phase of the risk management process, suitable internal and external stakeholders should be
consulted and communicated with.

2.5.When ISO 31000 will be use?
- A company's internal risk management and control (managers).
- Describe the strategies for managing and reducing risk (trainers - consultants).
- Establish rules and processes for risk management (implementers).
- Create relevant standards and behavior guidelines (experts).


2.6.Applications of ISO 31000 in IT
2.6.1. Risk assessment
General: Risk assessment is the culmination of the risk identification, analysis, and evaluation
processes. The expertise and opinions of stakeholders should be included into a methodical, iterative,
collaborative approach to risk assessment. When required, it should enhance the finest knowledge
available with additional research.
Risk Identification : Finding, identifying, and describing risks that might aid or obstruct an
organization in attaining its goals are the goals of risk identification. Information that is current, suitable,
and relevant is crucial for recognizing hazards. For detecting uncertainties that might impact one or more
objectives, the organization has a variety of tools at its disposal. The following elements, as well as their
interactions, should be taken into account :
+ tangible and intangible sources of risk;
+ causes and events;
+ threats and opportunities;
+ vulnerabilities and capabilities;
+ changes in the external and internal context;
+ indicators of emerging risks;
+ the nature and value of assets and resources;
+ consequences and their impact on objectives;
+ limitations of knowledge and reliability of information;

+ time-related factors;
+ biases, assumptions and beliefs of those involved.
- Risk analysis : Understanding risk's existence and characteristics including, if necessary, its level is the
goal of risk analysis. When analyzing risks, factors such as uncertainties, risk sources, repercussions,
likelihood, occurrences, scenarios, controls, and their efficacy are all carefully taken into account.
Multiple causes, effects, and objectives can all be impacted by one event. Depending on the goal of the
study, the accessibility and validity of the data, and the resources at hand, risk analysis can be conducted
to varied degrees of detail and complexity.Depending on the situation and intended usage, analysis
techniques might be qualitative, quantitative, or a combination of these. Risk analysis should consider
factors such as:
+ the likelihood of events and consequences;
+ the nature and magnitude of consequences;
+ complexity and connectivity;
+ time-related factors and volatility;