ISO/IEC 20000-1:2018 – IT Service Management System
Risk analysis methodology is structured as four distinct phases:
- Risk analysis of resources, controls, threats, and vulnerabilities.
- Management decisions to implement security countermeasuresand to accept residual risk.
- Implementation of countermeasures.
- Periodic review of the risk management program.
This document addresses the first phase, which provides the foundation for the remaining three phases. The detailed analysis of threat, vulnerabilities, and risks includes:
- Asset Identification: System resources within the system boundary that require protection.
- ThreatSources and Vulnerability Identification: Weaknesses in the system design, system security procedures, implementation, and internal controls that could be exploited by authorized operators or intruders.
- ThreatIdentification: Known and projected threats that are applicable to the system under review.
Prior to a risk assessment, security requirements must be identified. Security requirements are determined based on executive, legislative, and technical guidance in addition to departmental policy. Additionally, security requirements specific to the hardware, software, or operating system are also identified. The risk assessment is performed to identify the management, operational, and technical controls, or other appropriate countermeasures necessary for the protection of the system.