If you’re trying to protect your organisation from security incidents, you will probably have come across the concept of risk assessments.
This is an essential step to understanding and addressing your weaknesses, and must be done before you introduce new policies or purchase a new piece of software.
To explain why risk assessments are so valuable, we spoke with IT Governance consultant Andrew Pattison, who shares his thoughts from more than twenty years of industry experience.
What are information security risk assessments?
A risk assessment is the process of reviewing the threats an organisation faces and identifying appropriate solutions.
Those threats might include system vulnerabilities that enable cyber criminals to attack, or they could be errors in the way staff handle information.
The assessment encompasses every location in which data is stored, as well as the ways it moves between them. As such, it looks as much at physical threats – such as USBs going missing or records being tampered with – as it is does on computer files being compromised.
The result is that organisations gain a complete overview of where they are at risk, and the specific circumstances under which information can be breached.
Why risk assessments are necessary
At this point, you might ask why each individual organisation must conduct a risk assessment.
Surely the results are broadly the same, given that most companies operate in similar ways: they have digital records held on servers or in the Cloud, they keep physical records, and there is a huge overlap in the software that they use.
Unfortunately, as Andrew Pattison notes, that’s a trap that many people fall into. He explains that many organisations treat risk assessments as tick-box exercises and neglect the benefits that come with it.
No two organisations are exactly alike, and the more detail you put into your risk assessment, the clearer that becomes. As such, the results can – and should – inform specific choices regarding your approach to information security.
How to conduct a risk assessment
There are different schools of thought when it comes to conducting an information security risk assessment. Most organisations will follow the method outlined in the international standard for information security, ISO 27001.
The Standard provides a clear set of guidelines, beginning with the creation of a methodology and a list of information assets, and culminating in a risk evaluation process and risk treatment plan.
But even within that framework, organisations have some freedom. There are no right or wrong answers, but, as Pattison explains, it’s important to “keep it simple” and to ensure that “everyone in the process understands their role”.
He adds: “Remember that less is more: this is not an exercise in producing huge amounts of irrelevant information so that there is a nice complex-looking dashboard that makes you look clever.
“It’s far better to have a small, well-defined and understood group of risks so the organisation understands what the problem is and knows how it is going to deal with it. This is simply quality over quantity.”
Pattison also recommends using a standardised approach, such as ISO 27005, which describes the risk management process for information and cyber security.
This standard sets the parameters that you need but with the flexibility to support the organisation and environment that you find yourself in.
Simplify your risk assessment process
Those looking for help completing an information security risk assessment should take a look at our software tool vsRisk™.
It contains everything you need to identify and address the threats facing your organisation – and we’re currently offering a free two-week trial.
You can get to grips with its built-in library of risks and controls, track and manage key threats and generate reports, including the risk treatment plan.