Risk Management Assessment
Information security management systems (ISMS) are based on risk evaluation and management. Often organizations want to ascertain whether the processes, methodologies and/or tools adopted are not just compliant but also effective and possibly subject to improvement.
Such evaluations may only be performed by expert personnel having specific experience in ICT and risk management as well as up-to-date and qualified according to widely recognized schemes and models.
Effectively managing risks involves:
- Identify actual asset value;
- Identify vulnerability areas in each asset;
- Determine potential threats capable of exploiting such vulnerabilities in order to produce an impact and consequent damages.
- Quantify the risk associated to each damage identified
- Determine and implement measures designed to reduce risks to an acceptable level
Accidents may have severe financial, economic, reputation, strategic, etc. consequences. Analysing and evaluating risks means combining specific expertise with an in-depth knowledge of models to the end of producing reliable evaluations in terms of effectiveness, compliance and improvement opportunities.
ISO 31000 was issued as the reference risk management model, while ISO/IEC 27005 as a specific ICT information security application. The ICT industry has always paid great attention to these issues, which in recent times have repeatedly made the headlines because of the increasing frequency of IT accidents.
TÜV Italia supports companies by providing an independent evaluation, performed by qualified, expert personnel, of risk management processes and their actual strengths and (if any) weaknesses.
Our services at a glance
Back Office Assessment (BOA)
The first stage of the assessment includes a review of relevant documents in order to accurately determine the scope of the assessment and evaluate the analyses performed.
On Field Assessment (OFA)
The next stage requires the assessment to be performed during operating activities in order to evaluate the actual status of the process and verify any contractual requirements.
Identification of weak areas
The third stage identifies any existing weaknesses or improvement areas in connection to the procedures and management methods used.