I remain astounded that a staggering 32% of organisations have not carried out any form of risk assessment.
It is almost impossible to implement relevant security measures without conducting a risk assessment.
The risk assessment gives clarity and direction about what needs to be done to improve or adjust an information security programme. Without having an understanding of the different and unique risks that the company is exposed to, no information security programme can be successful.
Risk assessments are recommended by all security frameworks
Conducting a risk assessment is the foundation upon which an ISO 27001-compliant information security management system is built, in addition to many others (NIST SP 800, PCI DSS etc.)ISO 27001 is the international standard that prescribes best practices for information security management.
The risk assessment helps to identify all the assets that are exposed to risks and the types of risks that could occur, in addition to producing reports that provide a snapshot of the entire risk profile of the organisation.
Reports provide critical insights
These reports serve as valuable audit tools, and provide crucial information to security and executive teams, such as identifying which servers lack critical patches and leave applications open to compromise, or the number of risks that are above the risk acceptance threshold.
The reports help prioritise security controls and provide a baseline for measuring progress.
Regardless of the perceived need for security, executives want to justify any security expenditure. A risk assessment delivers a detailed analysis of what needs to be done to improve or fix any security programme.
Why 32% of companies fail to conduct a risk assessment is beyond me, but my guess is that they are uninformed about the benefits of risk assessments, or don’t have the budget and resources to conduct them.
Get started with a tool that works
vsRisk™ is the leading information security risk assessment software, and delivers the tools, resources and framework to help organisations planning to undertake a risk assessment for the first time get it done properly, quickly and at a low cost.
Find out how vsRisk can help you here.