A model to assess the maturity level of the Risk Management process in information security

The risk management (RM) process comprises coordinated activities aimed at guiding and controlling an organization as far as risks are concerned. These activities encompass the definition of the context of analysis, assessment, treatment, acceptance, as well as the communication and the monitoring of information security risks. Organizations should implement RM in a consistent, systematic manner in order to achieve compliance with current laws, standards and regulations, and also meet mandatory requirements for the certification of an information security management system. However, in the context of information security, no reference was found in literature for a model to assess the maturity level of an RM process. In order to overcome this problem, this study describes the structure of a model for the assessment of the maturity level of the RM process in the realm of information security. The designed model basically consists of a set of best practices, totally aligned with standard ISO/IEC 27005 and comprised of: (1) three stages; (2) five maturity levels; (3) forty-three control objectives; (4) one control map; (5) one assessment instrument relative to the maturity level of the activities of the RM process; (6) an accountability matrix relative to each activity of the process and also a (7) risk scorecard.