“We are living permanently with an irreducible level of cyber threat,” says IT Governance CEO Alan Calder. “As this realisation sinks in, organisations must adapt their strategies to avoid unhelpful restrictions on staff mobility and internet access, while ensuring their ability to recover swiftly when attacks take place.”
A survey conducted by Nominet found that over three quarters (77%) of small businesses with 50 or fewer employees have faced at least one cyber security incident in the last month alone – and that, on average, incidents took several hours to resolve, with 40% taking a day or longer. One in five small businesses said that they had lost money as a result.
Mind shift needed
More and more, businesses are realising that the days of demanding 100% cyber- or information security are gone. Business leaders need to shift their mindset to one that anticipates cyber breaches, and then take the appropriate steps to reduce the reputational, financial, and operational impact of those risks. A pragmatic approach to information risk management is essential for continuously monitoring and mitigating the risks associated with your critical and confidential data.
Starting out with a risk assessment
Any robust information security management system will incorporate regular risk assessments of the information assets or information risks. Risk assessment is the key activity required during the planning stage of an Information Security Management System (ISMS) project. ISO 27001 is the international standard for information security management and provides a holistic approach to risk management which is consistent with other global approaches.
“Risk assessment is so central to information security management that we see it as the core competence of the ISMS”. – “Information Security Risk Management for ISO 27001/ ISO 27002” by Alan Calder & Steve Watkins.
The purpose of an ISMS is to secure an organisation’s information assets by identifying, assessing and managing risk factors which are presented as threats and vulnerabilities. This is achieved by first identifying all the assets and categorising them by CIA (Confidentiality, Integrity, Availability), and then calculating the likelihood of these risks.
ISO 27001:2013 matures
The assets with high risk are then treated by applying specific controls from a pre-determined control set, based on a risk assessment procedure. The new information security standard, ISO27001:2013, which has evolved into a more mature and flexible standard, does not specify any specific control set for treating these risks, but it does provide a list of recommended controls that should be used as a reference to determine if any gaps exist in the organisation’s current control set.
vsRisk 2, the newly refreshed information security risk assessment software, will provide you with the framework, relevant control sets and platform for conducting and reporting on risk assessments. It also includes a list of recognised threats and vulnerabilities from the ISO 27005 database. Multiple risk assessors are now able to conduct organisation-wide risk assessments of the assets within their control, using one licence. This multiple risk assessment approach not only saves time, but delivers a concise, uniform and comprehensive risk assessment, culminating in a set of audit-ready reports that also facilitates ISO27001 compliance.