Five steps to successful information security risk assessments: Step 5


Information security risk management is a complicated business, especially when you’re trying to achieve certification to ISO 27001, the international standard for information security management.

There are so many factors to consider, and so many things to do, that it can be completely overwhelming – even for experienced risk assessors.

Fortunately, help is at hand.

Free white paper: 5 Critical Steps to Successful Risk Assessments

Our free white paper, 5 Critical Steps to Successful Risk Assessments, outlines a five-step risk assessment plan that anyone can follow.

This blog, the fifth in a five-part series, summarises the last of those steps.

To find out more about this foolproof five-step approach, download your free copy of the white paper now.


Step 5: Select risk management options

Last time, we looked at evaluating the risks to the information your organisation holds. The next step is to decide how you will address each risk to bring it into line with your risk appetite.

There are four risk management options, often presented as four Ts: tolerate, terminate, transfer and treat. In other words, you can accept the risk, reject it, take action to shift the risk to another party – usually by insurance – or you can treat it by applying controls to reduce its likelihood or impact.

But how do you determine the criteria that will help you decide how to make consistent decisions? How do you know you’ve covered all risks appropriately? How do you know which controls to use and which should apply to which risk?


Fully aligned with ISO 27001:2013, vsRisk streamlines the risk assessment process, helping you conduct information security risk assessments quickly, easily and consistently.

You won’t even need to spend time or money developing a risk assessment methodology – vsRisk works straight out of the box.

Among many other features, vsRisk contains:

  • A library of assets, assigned to organisational roles that typically manage those assets;
  • Pre-selected threats and vulnerabilities (risks), applied to each asset group;
  • Seven pre-populated control sets – ISO/IEC 27001:2005, ISO/IEC 27001:2013, the PCI DSS, NIST SP 800-53, Cloud Controls Matrix v3, ISO/IEC 27032 and Cyber Essentials.

For more information on establishing a risk assessment framework, download your copy of 5 Critical Steps to Successful Risk Assessments now.


Vigilant white paper: 5 Steps to Successful Risk Assessments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.