Risk assessment is the process of identifying, analysing and evaluating risk. An Information Security Risk Assessment (ISRA) give management the insight to assess whether the controls & tools deployed are appropriate to the risks your organisation faces.
There is no value in implementing security controls & tools against events that do not pose a threat. More importantly it highlights security risks that could impact to your organisation.
There are various methodologies for performing an Information Security Risk Assessment. Each depends on industry, size of organisation, geographical location, risk appetite & cost.
Most of our consultants’ experience of either implementing or partaking in ISRA has been in large multinationals such as banks & pharmaceuticals.
What does ISRA in a large multinational organisation include?
- Identification of all the business processes performed by each department. This is why it is extremely useful to have well written and uptodate procedures and process maps.
- Identification of all the information assets that belong to each process such as PCs, laptops, applications, documentation, and even third parties.
- Each information asset is then reviewed to determine the sensitivity & confidentiality of the data being stored, managed, or processed.
- Each asset & business process is assigned a risk level such as High, Medium or Low.
- Vulnerability & threat analysis are performed on each process and its information assets the process uses. or combination of risk assets to give overall risk assessment of each department.
- All departmental ISRA’s are then rolled up to divisional, regional and ultimately a global level.
This gives management insight into all threats and vulnerabilities from department and take appropriate actions to mitigate material threats risks with corrective action plans. Depending on risk appetite some risks maybe accepted.
It is important to remember that the risk assessment process is an ongoing process and all results should be documented so that it can be compared in the next cycle.
Our experience has shown that being able to show evidence of previous and current risk assessments is extremely comforting for auditors and internal compliance. ISRA demonstrates that management are aware of any risks or gaps and steps are being taken to close the them.
Contact us today for a no-obligation quote or to arrange a risk assessment.