Performing a risk analysis with RAFIS

RAFIS is a tool that helps you to perform a risk analysis for information security. The goal is a selection of controls from the chosen security standard, based on threats that have been mapped out during a workshop. The use of RAFIS is based on a series of steps, as indicated below.

  1. Mapping relevant information systems within your organization.
  2. Identifying the actors that can breach your information security.
  3. Performing the actual risk analysis:
    1. Determining the scope of the risk analysis.
    2. Specifying the interests.
    3. Identifying the threats.
    4. Determining the mitigating controls.
    5. Working out possible scenarios.
    6. Drawing up the report.
    7. Monitoring the progress of the control implementation.

Other functionalities

RAFIS contains a few more functionalities that are not directly related to performing a risk analysis. These are explained below.