Every organisation that handles sensitive data must conduct regular risk assessments, preferably in line with the requirements of ISO 27001.
ISO 27001 is the international standard that describes best practice for implementing and maintaining an ISMS (information security management system). Risk assessments are at the heart of the Standard, as they help organisations:
- Understand the specific scenarios in which their data could be compromised;
- Assess the damage each scenario could cause; and
- Determine how likely it is that these scenarios will occur.
Performing a risk assessment can be tricky, but IT Governance’s five-step approach can help.
1. Establish a risk management framework
The risk management framework governs how you plan on identifying and managing risks. It covers:
- Who you assign risk ownership to;
- How the risks affect the confidentiality, integrity and availability of information;
- Your risk scale (i.e. the method of calculating the estimated damage and probability of each scenario);
- Your risk appetite (i.e. the level of risk your organisation is willing to accept); and
- Your baseline security criteria (i.e. the minimum set of defences you need to fend off risks).
There is no one right way to handle any of these issues. As a result, it’s up to the team leading your ISMS implementation project to decide what works best for your organisation.
2. Identify risks
The next step involves determining the risks to your organisation. You should look for any vulnerability that affects the confidentiality, integrity or availability of information.
We recommend taking an asset-based approach, focusing on your information and the ways it can be compromised. This is simpler to document than a scenario-based approach, in which you run through a variety of security incidents and track the damage through your organisation.
3. Analyse risks
Once you’ve identified the risks, it’s time to assess them in more detail. This involves documenting the specific vulnerabilities that are associated with each risk.
For example, if the threat is ‘theft of a mobile device’, the vulnerability is ‘a lack of formal policy for mobile devices’.
4. Evaluate risks
This is where your risk management framework comes into play. You should take your list of risks and weigh each one against your risk appetite.
Risks that are beyond your risk appetite need to be prioritised, whereas those within it can be dismissed.
5. Select risk treatment options
There are four ways you can treat a risk:
- Avoid the risk entirely by eliminating it.
- Modify the risk by applying security controls.
- Share the risk with a third party (by outsourcing it or purchasing an insurance policy).
- Retain the risk (if the risk falls within your risk appetite).
The method you choose will depend on your circumstances. Avoiding the risk is obviously the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible. For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.
You’ll therefore be required to modify most risks. This involves selecting the relevant controls, which are outlined in Annex A of ISO 27001.
Do you have the necessary controls in place?
With the threat of cyber crime so high, it’s vital that your organisation’s security controls leave nothing to be desired. One missing control could be the difference between a minor security scare and a major data breach.
You can check whether your organisation is taking all the necessary steps by completing our cyber security self-assessment. This short questionnaire asks you about your defence measures and suggests ways for you to become more secure.