Risk assessments are an essential part of any information security management system (ISMS), so it is important that they’re done right and done often.
While the ‘doing it right’ part should be obvious, the need to do it ‘often’ is less regularly discussed. It is not enough to perform the risk assessment once a year and consider it a definitive guide to the threats your organisation faces.
The risk assessment is an ongoing process, one that needs to take into account the fact that, for instance:
- The process can (almost) always be improved
There are five critical steps to completing a risk assessment, and each can almost always be done more effectively. Each risk assessment should build on past ones, as the organisation learns what works and what doesn’t.
Besides, even if a risk assessment is as comprehensive as it can be at the time, this will only be the case for so long.
- Businesses are always changing
From the way they are run to the technologies they use, businesses are always changing and exposing themselves to new threats. Risk assessments need to take account of changes in all business areas – technology, processes and people.
Technology is especially important here, and particularly software, because it can introduce new vulnerabilities to the organisation that uses it. Most software has bugs, and when patches and made available, it exposes organisations that haven’t updated their software to cyber attacks.
It is essential that organisations update the software they use and apply patches as they become available.
Simplifying the risk assessment process
There are tools that can simplify the risk assessment process, such as vsRisk™ – the only risk assessment tool built specifically to help organisations comply with ISO 27001, the international standard that describes best practice for an ISMS.
Its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks. It also includes a populated asset library that assigns organisational roles to each asset group, applying relevant potential risks and treatments by default.