Analyze ISMS risks

In the Risk analysis section, you can see all IT systems that are IS-relevant or in which IS-relevant processes are linked. In the properties of an IT system, you assess criticality at various levels and link it to a risk or property group. In the properties of a risk, you assess the gross risk associated with an IS-relevant IT system. Gross risk is the risk before you have implemented the action to minimize the risk. Your gross risk rating will then appear in the table at the respective asset.

Instructions - Determine criticality of asset and risk:

  1. Select the IT system in the table and open the ISMS section in the properties sidebar

    Tip: Navigate directly to the IT system by double-clicking and select the ISMS tab in the content area. In this view, the most important ISMS-relevant properties are clearly displayed. You can also edit the properties there via the sidebar. See ISMS view of the assets.

  2. Justify the IS criticality of the IS-relevant IT system.

  3. Evaluate criticality at the levels of confidentiality, integrity, availability, and authenticity

  4. Switch to the Other attributes property section and define the risk under ISMS risks

    OR

    Switch to the Other attributes property section and use a property group

  5. Set the remaining properties of the risk as needed

    See also: All properties for configuring a risk are described under Create risk.

Instructions - Assess gross risk

  1. In the ISMS risk column, select the risk that you have defined at the respective asset

    Note: No risk assessment can be performed for property groups. To perform a risk assessment, you must assess the risks within the property group one at a time.

  2. Open the ISMS section in the properties sidebar

  3. Assess the risk impact prior to measures at the confidentiality, integrity, availability, and authenticity levels

  4. Switch to the Gross assessment property section and set the Probability of occurrence (gross)

Results:

  • After you have defined the probability of occurrence and risk impact in the gross risk, the risk class is automatically calculated before the measures. There are three risk classes here:

    • Risk class 1 (green) is the lowest risk class. Class 1 risks before measures do not appear in the risk treatment plan.

    • Risk class 2 (yellow) is the medium risk class. Class 2 risks before measures appear in the risk treatment plan.

    • Risk class 3 (red) is the highest risk class. Class 3 risks before measures appear in the risk treatment plan.

    You can see the risk class, for example, in the table in the Risk list report:

    Note: Gross and net risks that have been incompletely assessed or not assessed at all are automatically assigned risk class 3.

  • After you have defined the probability of occurrence and risk impact in the gross risk, the risk is transferred accordingly to the risk heat map before the measures.

    See also: The functionality of the risk heat map is described under Risk matrix.