EAR  >  FAQ

EAR / FAQ
Environment for the Analysis of Risk

FAQ: Frequently Asked Questions

What is risk analysis about?

Risk analysis is a fundamental activity to understand where is the value of the organization, and what are the threats on that value. You cannot manage what you do not know.

Risk analysis

  1. identifies assets, technical and business assets,
  2. valuates assets according to their usefullness for the organization
  3. identifies and valuates threats on those assets (that is, produces a risk map)
As an outcome, you know what can happen and, from the other point of view, what needs to be protected.

What is risk management about?

It is a methodic approach to keep risk under control. Data from risk analysis are used as information to take decissions on whether avoid, transfer, mitigate, or just accept the assessed risk.

Which methodology is used?

MAGERIT: a methodology of the Spanish Administration, that may be freely used elsewhere.

Whan can EAR tools do for my information system?

EAR provides tool support to

What is the use of a project on risk management?

What is required to get an ISMS certification?

In order to certify an ISMS (Information Security Management System) a number of preliminary tasks are to be carried on

  1. A risk analysis is required, covering the whole system that is subject to certification.
    This analysis determines This material is moved into the "Applicability Statement".
  2. After analysisng risk, it is necessary to apply the diagnosed treatment, so the required safeguards are on place, and the residual risk is acceptable by the management.
  3. An internal audit may be convenient.
  4. Contact the certification entity, that will instruct you on the required steps for and external evaluation that may conclude with the desired certification.