An approach to the improvement method
of risk assessment according to ISO 27001
As we have
discussed, I would like to direct my research dissertation on the developing an
improved method of risk assessment according to ISO:27001
that I would like to follow are as following:
Step 1 is the idea is to analyze the
current risk assessment methods through literature review on an academic and
Step 2 to see the risk assessment methods as
they are developed from ISO, NIST, SOX which is more industry/technically
Step 3 According to the findings from Step
1 and Step 2 i will create a combined method of Risk Assessment but with
orientation to ISO:27001.
will be based from all the good points which are mentioned from experts on
papers and will be included from all the standards such as ISO, NIST SOX etc.
this, I will also make a research on the field with companies in the industry
of ICT, Insurance and Banking Sector.
answers and Informations that I will receive from the experts, it department, cio,
ciso etc., I will try to identify the following:
that they face during the risk assessment process
issues which they are not able to identify through their risk assessment
process (their risk assessment method does not cover)
method/way that they implement the Risk Assessment techniques
do they create a report of findings?
to they make a list of recommendations from their findings
are the next steps that they take to treat the findings
they treat the findings according to ISO 27001 Risk Assessment, NIST or any
other hybrid method (combined method)?
they use any Software tool for recommendations, or only the paper work?