Conducting a risk assessment is a fundamental part of information security management. The results of a risk assessment drive the selection of controls and have significant impact on information security management decisions. Getting the risk assessment wrong can affect the risk treatment decisions you make, and, with them, the security of your organisation. The risk assessment will also have an impact on your budget and resources – it will inform what you need and how much you should spend to address information security risks.
Information security risk assessment – a top challenge
Conducting an information security risk assessment was rated a top challenge by 30% of the participants in the ISO 27001 Global Survey.
ISO 27001, the information security management standard, explicitly requires compliant organisations to carry out risk assessments based on agreed risk acceptance criteria. The selected controls are based on the results of the risk assessment, and need to be monitored and measured to evaluate the performance and effectiveness of the information security management system (ISMS). Moreover, each risk must have an owner and each risk owner must be accountable for that risk.
Performing an effective risk assessment
To a great extent, the quality and effectiveness of an information security risk assessment will depend on the competence of the individual conducting it. It is important that the risk assessor is appropriately qualified and skilled in information security and risk management.
The tools used for conducting an information security risk assessment also play a significant role in its accuracy and quality.
Spreadsheets vs automation tools
If you are using a spreadsheet, you have to determine all of the aspects that need to be considered: you need to identify all potential threats and vulnerabilities (or risks), keep in mind all possible controls, provide documented information in support of those controls, determine remedial actions, and produce risk assessment reports in an auditable format. You may miss things by going through this process manually, while also taking many weeks of work.
Using an information security risk assessment software tool like vsRisk™, on the other hand, will significantly reduce the time it takes to conduct a risk assessment by weeks, while improving its effectiveness and saving hundreds of pounds on consultancy fees.
vsRisk contains built-in, searchable databases of threats and vulnerabilities so you can simply select those applicable to your assets or organisation. It includes several control sets, maps controls between standards, and summarises actions planned. Created by leading risk practitioners and fully aligned with ISO 27001:2013, vsRisk produces six audit-ready reports, including the Statement of Applicability, risk treatment plan and risk assessment report.
Importantly, using an automation tool like vsRisk includes many benefits:
- Ensures accurate results and enables risk assessments to be repeated year after year.
- Helps to automate a large part of the information security risk assessment.
- Helps you achieve your ISO 27001:2013 objectives faster.
- Fast, simple, flexible and customisable.
- Updated frequently (if you have purchased the 12-month Support and Update package).
See this video to learn about the features and benefits of vsRisk.