It should go without saying that information security controls – the measures you implement to protect your organisation – should be selected based on the real risks you face. After all, there’s absolutely no point going to the time, trouble and expense of implementing controls to protect against a threat that’s unlikely to occur or one that’ll have little material impact.
To enable you to make informed decisions about which controls to use, you need to carry out an information security risk assessment.
As defined by ISO 27000:2016 – the standard that provides an overview of the ISMS (information security management system) family of standards and definitions for key vocabulary – risk assessment is the “overall process of risk identification, risk analysis and risk evaluation”.
Whatever risk assessment methodology you choose and whatever enterprise risk management (ERM) framework you use, to comply with the international standard for information security management, ISO 27001, you will need to identify:
- The assets your organisation has and the stakeholders who own them.
- The business, legal and contractual requirements that are relevant to the identified assets.
- The value of the identified assets, taking account of their confidentiality, availability and integrity in each of their business, legal and contractual contexts.
- The threats and vulnerabilities that affect the security of those assets.
- The impact on the organisation should the assets be compromised.
- The likelihood of that compromise occurring.
Then, you must evaluate your existing security controls, address any gaps as necessary, and apply controls consistently according to the organisation’s risk acceptance/treatment criteria.
This is, obviously, a complex and time-consuming undertaking, and one that, if you rely on spreadsheets, will be prone to error – meaning there’s no guarantee that your risk assessment will produce “consistent, valid and comparable results”, as stipulated by the Standard.
If your experience carrying out risk assessments is limited, the prospect of spending hours interviewing relevant organisational stakeholders and populating spreadsheets will probably be filling you with dread. There is an alternative, however.
The easy alternative
Vigilant Software’s risk assessment tool, vsRisk™, helps risk assessors deliver repeatable, consistent assessments year after year. Its pre-populated asset library assigns organisational roles to each asset group, and applies relevant potential threats and risks by default. Moreover, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.