RM Studio uses a calculation algorithm that can be modified by the user, depending on what factors are evaluated, factor values, computing with addition or multiplication, and providing a risk score as a percentage or integer. The Risk Profiles in the Assessment and Treatment module provides the user a default profile or customization to meet the user’s unique needs. Here is an example of using the Asset factor evaluations from ISO 27001: Confidentiality, Integrity, Availability; and the Threat factor evaluations of Impact and Probability. The calculations use a 1 – 5 factor value for each factor and the computation uses addition: Here is an example of using the Asset factor evaluations from ISO 27001: Confidentiality, Integrity, Availability; and the Threat factor evaluations of Impact and Probability. The calculations use a 1 – 5 factor value for each factor and the computation uses multiplication: Inherent risk is the raw or untreated risk, which is the natural level of risk intrinsic in a business activity or process without implementing any procedures to reduce the risk. In RM Studio Risk Assessment, after assessing the factor values for the Assets, you will calculate the Inherent risk for the organizations assets. Residual risk is “the risk remaining after risk treatment”, according to ISO 27001 definitions provided. In RM Studio you first identify the risks relevant to your business in the Risk Assessment. In the Risk Treatment RM Studio builds for you, the controls you evaluated in the Gap Analysis are applied to the identified risks and you need to determine if the risk are mitigated and how to continue to treat the risks you find unacceptable. Treating the risks doesn’t completely eliminate all the risks, some risks will remain at a certain level, and this is what residual risks are. The point is, the organization needs to know exactly whether the planned treatment is enough or not. Residual risks are usually assessed in the same way as you perform the initial risk assessment using the same methodology, including the same assessment scales. What is different is that you need to take into account the influence of controls (and other mitigation methods), so the likelihood of an incident is usually decreased and sometimes even the impact is smaller. RM Studio adds the controls to the Risk Treatment based on the control to threat mapping established previously or by default. Below is the matrix used for establishing the security risk of an Asset in relation to the Threat it is under. This matrix is a supplement to the risk calculation section covered previously in this manual. It’s important to realize that when using the security risk calculation with regards to controls, it is possible to score the security risks down to minimal. What this means is that you have done everything you possibly can to minimize the security risk “with regards to the Standard”. You have implemented all the controls which are associated with the threats you have defined in your risk assessment. Please keep in mind that this does not mean that you don’t have security risk but it only means that you have done everything in your power, based on the Standards, to hedge against known threats. 14.Calculations
INHERENT RISK CALCULATION
RESIDUAL RISK CALCULATION