This is Part 1 of our series on implementing information security risk assessments. You can read Parts 2 and 3 in the coming weeks.
It should go without saying that information security controls – the measures you implement to protect your organization – should be selected based on the real risks you face. After all, there’s absolutely no point going to the time, trouble, and expense of implementing controls to protect against a threat that’s unlikely to occur or one that’ll have little material impact.
To enable you to make informed decisions about which controls to use, you need to carry out an information security risk assessment.
As defined by – the standard that provides an overview of the information security management system (ISMS) family of standards and definitions for key vocabulary – risk assessment is the “overall process of risk identification, risk analysis and risk evaluation.”
Whatever risk assessment methodology you select, and whatever enterprise risk management (ERM) framework you use, you will need to identify certain factors in order to comply with ISO 27001:
- The assets your organization has and the stakeholders who own them.
- The business, legal, and contractual requirements that are relevant to the identified assets.
- The value of the identified assets, taking account of their confidentiality, availability, and integrity in each of their business, legal, and contractual contexts.
- The threats and vulnerabilities that affect the security of those assets.
- The effect on the organization should the assets be compromised.
- The likelihood of that compromise occurring.
After this, you must evaluate your existing security controls, address any gaps as necessary, and apply controls consistently according to the organization’s risk assessment or treatment criteria.
This is clearly a complex and time-consuming undertaking – one that, if you rely on spreadsheets, will be prone to error. This means that there’s no guarantee that your risk assessment will produce “consistent, valid and comparable results,” as stipulated by the Standard.
If your experience carrying out risk assessments is limited, the prospect of spending hours interviewing relevant organizational stakeholders and populating spreadsheets will probably be filling you with dread. There is an alternative, however.
The easy alternative
The risk assessment tool vsRisk™ helps risk assessors deliver repeatable, consistent assessments year after year. Its pre-populated asset library assigns organizational roles to each asset group, and it applies relevant potential threats and risks by default.
Moreover, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.