Track updates

HB 167:2006

[Pending Revision]

Security risk management

Outlines a broad framework and the core elements that should be included in a security risk management process, and is consistent with the risk management principles of AS/NZS 4360: 2004. This Handbook can be used by any size or type of organisation - from large multinationals to small businesses, government agencies and the not-for profit sector.
Published: 21/12/2006
Pages: 159
Inclusive of GST
Available formats
Available formats
Web Reader
Instantly view standards in your browser. Search, bookmark, highlight, and comment for anytime access - online and offline.
Web Reader (PDF)
View standards in PDF format in your browser. Search, bookmark, highlight, and comment for anytime access - online and offline.
Web Reader
1 user
Add to cart
visa logo
mastercard logo
amex logo
Table of contents
Cited references
Content history
Table of contents
About this publication
1 Introduction
1.1 Security Risk Management—A new paradigm
1.2 Security Risk Management approach
1.2.1 The structure of security risk management
1.3 Security risk management and its relationship with risk management
1.4 Security risk management
2 Communicate and consult
2.1 Introduction
2.1.1 Effective communication
2.2 Engagement
2.2.1 Participation
2.2.2 Engagement and participation of senior management
2.2.3 Engagement and participation of staff
2.2.4 Engagement and participation of other stakeholders
2.3 Perception
2.4 Information transfer
2.5 Decision making
2.6 Developing the communications strategy
3 Establish the context
3.1 Introduction
3.2 The external context
3.3 The internal context
3.4 The security risk management context
3.4.1 Finalising the goals and objectives for security risk management
3.5 Determine the process/program structure
3.6 Developing the evaluation criteria
3.7 Developing the business case
4 Identify risk
4.1 Introduction
4.2 Data and information sources
4.2.1 Retrieving data and information
4.2.2 Potential sources of risk
4.3 Conducting the criticality assessment
4.4 Threat assessment
4.4.1 Identifying the threat
4.4.2 Understanding the threat
4.4.3 Measuring the threat
4.4.4 Likelihood of a security threat
4.5 Conducting the vulnerability analysis
4.5.1 Introduction
4.5.2 Assessing the effectiveness of the controls
4.5.3 Approaches to assessment
4.6 Mapping threat, vulnerability and criticality
5 Analyse risk
5.1 Introduction
5.2 Measuring risk
5.2.1 Consequence
5.2.2 Likelihood
5.2.3 Risk rating
6 Evaluate risk
6.1 Introduction
6.2 Tolerance of risk
7 Treat risk
7.1 Introduction
7.2 Developing a treatment plan
7.2.1 Establish treatment objectives
7.2.2 Identify and develop treatment options
7.2.3 Evaluate treatment objectives
7.2.4 Detailed design
7.2.5 Design review
7.2.6 Communicating and implementing
7.3 Conformance vs. Performance
8 Monitor and review
8.1 Introduction
8.2 The elements of ‘monitor and review’
8.3 Monitoring and review practices
8.4 Triggering monitor and review processes
8.5 Post-event analysis and reporting
F1 Business case template
F2 SRM Project management template37
F3 Developing the context template (with some examples)
F4 Information collection worksheet
F5 Criticality and vulnerability assessment worksheet
F6 Threat sources identification and assessment40
F7 Threat assessment worksheet
F8 Security risk assessment worksheet
F9 Strategic security risk management activities plan
F10 Security risk management controls assessment checklist46 (Example 1)
F11 Security survey worksheet (Example 2)
F12 Example treatment plan template
I1 Visibility rating
I2 Vulnerability: Iconic status
I3 Vulnerability: Threat access
I4 Vulnerability: Collateral exposures
I5 Vulnerability: Interdependency demand54
I6 Critical incident management
Cited references in this standard
Content history