Stiki provides advice on how to conduct a risk assessment for their customers. Risk assessment is the evaluation of threats posed to assets, their effects, sensitivity to them and the probability of the threats taking place. This includes assessment of the risk of an outside party accessing data, changing them or otherwise reducing their security.

Risk assessment also covers the scope and results of the risk with reference to the nature of the data. The objective of risk assessment is to provide a basis for selecting appropriate security measures. Risk assessments are reviewed regularly and should be reviewed at least annually.

An effort is made to elicit all aspects affecting the security of the systems falling under the assessment's scope:

• Information assets: All assets or groups of assets, both tangible and intangible, regarded as part of the operations that the risk assessment is intended to cover.
• Security risk: Security risk is identified based on the value of assets, the seriousness of threats posed to assets, the probability of the threats being realised and the asset's vulnerability to them. Security risk can be minimised by implementing measures reducing threat vulnerability and/or the chances of the threat occurring.
• Risk benchmarks: Risk limits that management staff defines as acceptable in their operations.
• Residual risk: The risk not met by measures implemented according to the management's defined acceptance limits.

RM Studio

Stiki performs risk assessments using its software solution RM Studio which was developed by Stiki for conducting risk assessments in compliance with ISO/IEC 27001 requirements. This solution has since then been generalized to meet the demands of other standards available. Using RM Studio enables the risk assessment to be performed in english, german or icelandic which offers a variety of presentation options.

Deliverables of risk assessment

The scope of the operations covered by the risk assessment

The risk assessment covers the following:

• Which information assets (equipment, knowledge, data and image) need to be taken into account.
• Which security requirements stipulated in law, regulations, international treaties and directives need to be taken into account.
• Which security requirements made in work processes, standards and security policies need to be taken into account.
• Which security requirements need to be taken into account in relation to the technical implementation of information and telecommunication systems.

Compliance with law and regulations

Legislative acts and government regulations form a framework for the scope of the operations covered by the risk assessment.

List of information assets

Under ISO/IEC 27001 & 27002, all information assets are to be registered, their values are to be assessed and a person responsible for them is to be assigned.

List of threats

Threats posed to information assets need to be recorded and assessed in terms of their impact, the probability of the threat taking place and the asset's threat exposure.

List of implemented controls from ISO/IEC 27001 & 27002

ISO 27001 & 27002 specify mitigating controls against threats to information security, as well as threats in general. While conducting a risk assessment, implemented controls shall be recorded.

List of ISO/IEC 27001 & 27002 future implementations

When the measures implemented based on ISO/IEC 27002 have been recorded, management staff can assess whether security risks are within the defined acceptance limits. If security needs to be improved, future measures are selected, this feature is offered in RM Studio. When a decision is taken regarding a future measure, its effect on overall security shall be assessed and compared with the cost of implementation. A deadline shall be set for the completion of future measures.

Statement of Applicability

During the performance of the risk assessment using RM Studio, a report describing the risk assessment based on entered data can be formed at all stages. After completing the risk assessment and also after the future measures have been decided, this report can be used as a statement of the status of information security, i.e. a Statement of Applicability.
The Statement of Applicability is a statement by the managers on the information security status.

Reports

Various reports can be obtained using RM Studio, including reports facilitating decision-making and the prioritisation of projects for reducing security risk.