Embarking on an assessment of information security risks needs to be approached with a carefully planned strategy and project plan, to ensure that the risks and associated mitigating controls deliver the appropriate results.
An element vital to the planning phase of a risk assessment is securing leadership support. Getting senior management commitment to the risk assessment process is vital. It will be difficult to get any project off the ground without senior level support, and a risk assessment exercise that does not have the required leadership backing will fail before it has even started. Having senior management on your side indicates that the company fully supports the project and is committed to providing the required resources and budget.
The cornerstone of any successful risk assessment is the appointment of a suitable project leader to coordinate all the risk management policies and tasks.
This project leader, or lead risk assessor, is responsible for collating all data into a central point, bringing any risk issues that may arise to the attention of senior management, ensuring appropriate tools and resources are available for the risk assessment, and providing guidance and advice to all other individuals participating in the project. In addition, the lead risk assessor will need to ensure that all the assessments were conducted using the same methodology and approach so that the results are consistent and repeatable across the organisation.
It is naturally important for the lead risk assessor to be fully qualified in conducting risk assessments in order to provide this level of support and detail to the project. The risk assessor could be a dedicated and experienced risk manager or an information security professional, depending on the company structure and size.
Organisations that do not have the internal expertise or resource availability for conducting risk assessments can rely on external consultants to help them through the process. This is, however, often expensive, and getting the consultant up to speed with company processes and systems can be a time-consuming engagement.
The other option is to use software that will guide you step-by-step through the entire risk assessment process. vsRisk™ delivers an assessment-ready framework, and includes a database of controls that can be referenced for treating the risks. vsRisk is compliant with ISO27001 and can ensure that the entire organisation follows the same approach and method for conducting risk assessments. The software produces a series of audit-ready risk assessment and comments reports that can be edited and customised in Excel, and includes the option for multiple risk assessors to be appointed to conduct assessments using the same tool.
Used by companies such as Vodafone, the BBC, Capita and G4S, vsRisk has a proven track record of delivering ISO27001-compliant risk assessments quickly, simply and effectively.
A 15-day free trial is available from the Vigilant Software website.