In the ISMS Assistant you assess your information security risks across three chapters in turn. In Risk Identification you assemble a single list of risk scenarios from the event-based and the asset-based approach. In Risk Analysis you assess each scenario’s impact and likelihood, from which Cenedril calculates the risk score. In Risk Evaluation you map the risks to the acceptance levels and prioritise them. The result is a risk list sorted by risk score.
Assemble the risk scenarios
Open Risk Identification
Open the ISMS Assistant and move to the Risk Identification chapter. The entry page explains the two identification methods Cenedril uses in turn: Top-down: event-based from a strategic view and Bottom-up: asset-based from an operational view.
Work through the preceding steps
Use Next to work through the Risk Identification steps: process categories and processes, the risk events from the top-down path, and the information, threats and vulnerabilities captured in the asset-based pass. These inputs are the basis for the risk scenarios.
Review the risk scenarios
On the Risk Scenarios page the two methods come together. At the top are the scenarios from the strategic Risk Events, below them the automatically generated suggestions from the asset-based approach. A scenario describes in one sentence how a threat exploits a vulnerability of a supporting asset and thereby endangers the confidentiality, integrity or availability of a primary information asset within a process.
Confirm scenarios and assign a responsible person
Accept the suggestions that genuinely represent a risk and hide the ones that do not apply. Add any missing scenarios by hand. Assign a responsible person to each scenario in the Risk Owner field. Save with Save & Continue.
Analyse the risks
Assess impact
In the Risk Analysis chapter open the Impact Assessment page first. Work through the list of risk scenarios and assess, per scenario, how large the damage would be if it occurred, separately for each consequence dimension from your risk policy (e.g. financial, legal, reputation). Save with Save & Continue.
Assess likelihood
On the Incident Likelihood page you go through the scenarios again and assign each a likelihood of occurrence. The impact values from the previous step stay hidden here on purpose, so that one estimate does not anchor the other.
Check the risk level
The Risk Level Calculation page is purely computational. Cenedril combines impact and likelihood per scenario into the risk score and maps it to the risk level from your risk policy. The matrix at the top shows the distribution of all scenarios, below it each scenario appears individually with score and level.
Evaluate and prioritise the risks
Classify the risks
In the Risk Evaluation chapter Cenedril distributes the scenarios automatically into the level groups from your risk acceptance matrix. Check each group and correct an unfitting classification by dragging the scenario into the correct level, with a reason. The acceptance criteria from the risk policy appear at the top as a reminder.
Prioritise the risks
On the Risk Prioritization page you choose one of three sort orders. Cenedril generates a numbered list of all scenarios from it. Where the order is wrong in places, move scenarios manually with the arrow buttons.
Finish the prioritised risk list
The Prioritized Risk List page summarises the results. The matrix shows where the prioritised scenarios sit in the risk landscape, the list below is the working basis for the next chapter. Save to complete the risk assessment.
Result: Every risk scenario has an assessed impact, a likelihood and, from those, a risk score with an assigned level. The prioritised risk list is ready and serves as the basis for the treatment decisions and the Statement of Applicability in the Risk Treatment chapter.