Following our last topic, risk analysis, in this new post I would like to remark there are different risk analysis metodologies, but finally all of them are tools which give us the way to do a revision of our situation, with the objective of reduce our residual risk with the use of controls in an efficient way. Normally is difficult to justify the investment of money in Cybersecurity. Using a risk analysis metodology, we can justify in an easier way our CAPEX because these metodologies could be a part of a business case (we can calculate our asset value and also possible impact and risk).Read More →

Risk Analysis is one of the first steps to do when we want to create: An ISMS (Information Security Management System) An BCMS (Business Continuity Management System) An BIA (Business Impact Analysis) A PIA (Private Impact Analysis) A Project Etc. In the moment of doing a risk analysis, we are in the first step of a PDCA process (Plan – do – check – act, also called Deming circle) so it is very important to do a good analysis. All the other processes depends on our first analysis. I created 2 presentations about Risk Analysis & Risk Management; this is the first of these 2 documents.Read More →

Some of you maybe made some risk analysis in the past, and maybe some others use to do risk analysis in a regular basis. Some people use Octave, CRAMM, NIST or other risk analysis methodologies, but… Have you ever though if you have a GAP or a lack of visibility in the way you use to do your analysis? I created a presentation where I explain in details this topic, you can see my presentation here: Thinking on risk analysis from Ramiro CidRead More →

The ISO 31000:2009 is a standard published on the 13th of November 2009, and provides a standard on the implementation of risk management which provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. ISO 31000 family is expected to include: * ISO 31000:2009 – Principles and Guidelines on Implementation * ISO/IEC 31010:2009 – Risk Management – Risk  Assessment Techniques * ISO Guide 73:2009 – Risk ManagementRead More →