Gone are the days when information security was fobbed off on the IT department. Now, when every employee with an Internet connection could cause a large-scale data breach, it’s clear to all sensible boards that information security is an enterprise-wide concern – which is why an effective ISMS (information security management system) encompasses people, processes and technology.
The international standard ISO 27001, which sets out the requirements of an ISMS, mandates that the security controls an organisation implements are based on the outcome of regular risk assessments to ensure the controls are relevant to the threats the organisation faces and are tailored to the organisation’s risk appetite.
According to the Standard, repeated risk assessments must produce “consistent, valid and comparable results”, but if you’ve ever struggled with spreadsheet-based risk assessments you’ll know how difficult this can be.
Conducting an information security risk assessment is a complex process, which requires considerable planning, specialist knowledge and stakeholder buy-in to appropriately cover all people-, process- and technology-based risks. Without expert guidance, this can only be worked out through trial and error.
Our free white paper, 5 Critical Steps to Successful Risk Assessments, outlines a five-step risk assessment plan that anyone can follow.
This blog, the first in a weekly five-part series, summarises the first of those steps. To find out more about this step – and steps 2 to 5 – download your free copy of the white paper now.
Step 1: Establish a risk assessment framework
First, establish a formal methodology. For risk assessments to be “consistent, valid and comparable” every time they’re carried out, the workings of the risk assessment process need to be objective, transparent and auditable. Moreover, you need to guarantee that different risk assessors will produce consistent results – after all, you can’t be sure that the same people will conduct your risk assessments year-on-year.
That’s why many people choose risk assessment software tools to ensure their risk assessments can address the organisation’s baseline security criteria, risk scale, risk appetite and chosen approach the same way every time.
The information security risk assessment software tool, vsRisk, streamlines the risk assessment process and has been proven to save users huge amounts of time, effort and expense.
For more information on establishing a risk assessment framework, download your copy of 5 Critical Steps to Successful Risk Assessments now.