Risk analysis

DPIA

It is often difficult to identify threats or risks for one's own organization from scratch. For the new versions of standards of management systems such as ISO 9001, ISO 14001 and ISO 27001, this is a requirement.

A commonly used method is the so-called MAPGOOD method. MAPGOOD stands for People, Equipment, Software, Data, Organization, Environment and Services. These are the different perspectives for looking at threats and risks.

MAIN STEPS

MAPPING THE INFORMATION

ANALYSIS OF THREATS

MEASURES-OBJECTIVES

The risk analysis consists of 3 main steps:

The risk analysis consists of 3 main steps: Mapping the components of the information provision in accordance with the MAPGOOD model.
Mapping the threats that are relevant to the information system to be investigated, with the potential impact and the probability of occurrence per threat.
Translating the most relevant threats into measures to be taken.

The risk analysis must be completed as uncoloured and as neutral as possible.

Performing a risk analysis must be supported by an expert with experience in performing risk analyzes. It is recommended that the organization appoints an internal employee who performs the risk analysis and in this way builds up experience with performing risk analyzes. This will increase the quality of performing the following risk analyzes.

During the risk analysis, the emphasis is on process monitoring and quality assurance by asking control questions to test the different assessments between the participants of the risk analysis.