Answer to Gafar’s Question

Garar's Question

According to ISO 3100, risk assessment includes three steps, risk identification, risk analysis, and risk evaluation.

Risk analysis is the process to estimate the likelihood and impact of risk so that the risk level or exposure can be determined. BIA as a process to assess the business impact, it can be treated as part of the risk analysis when we are talking about risk management.

BIA is also one of the most crucial processes in the discipline of business continuity management. So, it depends on how you integrate the two disciplines, RM and BCM, to position BIA.

Threat modeling is highly related to software. However, it’s mentioned in Domain 1 of the CISSP exam outline and many people think it applies to other contexts as well.

Personally, I treat it as the specific risk management practice in the context of software solutions, including the environment they operate, say, servers and network.

Threat modeling includes identifying threats/risks, categorizing them using STRIDE, analyzing using DREAD, evaluating, and handling them. The threat modeling approach used by Microsoft is the most well-known. There are some other approaches.

In summary, the basic idea of risk management is simple and abstract, it should apply to different contexts which use an extended and specific risk management approach based on the general risk management framework.

The pair of ISO 31000 and ISO 27005 is a good example. The NIST FARM addressing risk at organization tier, mission/business process tier, and information system tier is another good example.

Leave a Reply