CHAPTER 13: RISK LEVEL
Risk level – the output of the risk equation that we discussed earlier – is a function of impact and likelihood (probability). The final step in the risk assessment exercise is to assess the risk level for each impact and to transfer the details to the corporate asset inventory.
Three levels of risk assessment are usually adequate: low, medium and high. Where the likely impact is low and the probability is also low, then the risk level could be considered very low. Where the impact is at least high and the probability is also at least high, then the risk level might (depending on the design of the risk matrix) be either high or very high.
Every organisation has to decide for itself what it wants to set as the thresholds ...
Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.