RE: Measuring Risk Assessment

["Craig Wright" <cwright () bdosyd com au>]

Have a look at COBIT, ITOL or COSO all other these have sections on
mapping controls and there are templates to map these to 17799

Have a look at 
        http://www.auditnet.org/

They have a large number of audit documents and controls tests. They
have a large number of 17799 documents and checklists on the site

Craig 

-----Original Message-----
From: shankarnarayan.d () netsol co in
[mailto:shankarnarayan.d () netsol co in] 
Sent: 21 September 2005 9:07
To: security-basics () securityfocus com
Subject: Measuring Risk Assessment

Hi,

We have successfully enabled an Organization achieve BS7799. We have
conducted a Qualitative Risk Assessment for the different IT assets

As a part of periodic improvements the client periodically adds
additional security measures/ tweaking current controls etc. The Client
wants to now measure the effectiveness of adopting these controls to
show visible proof to his management about the effectiveness of these
controls and maybe adopting the standard.

Can I get some suggestions (irrespective of whether it is relevant to
BS7799 or not) as to how this client may show improvements to his
management. Specifically, any metrics on how he may show effectiveness
w/ respect to the "qualitative risk assessment". When he first
implemented the Risk Treatment plan, he could show significant risk
reduction, but (as an example), tweaks and changes now dont reduce a
risk which is "High" to "Medium", they only bring it a few notches lower
but still in "High"

Any inputs would be greatly appreciated. I am looking for something
apart from standard inputs like compare the number of vulnerabilities/
security issues faced/ measuring the hits on Firewall/ IDS etc

Thanks,
Shankar