RISK ASSESSMENT and MANAGEMENT
Understanding the risks to an organisation's information assets are paramount to its long-term existence.
Without this knowledge of the risks, an organisation cannot be sure that the measures which it applies to
protect those assets are either justified or effective.
Aston Information Security's consultants aid organisations in implementing effective and practical
risk management and mitigation polices and procedures.
Our risk assessments are designed to identify, quantify, and prioritize risks against criteria for risk
acceptance and objectives relevant to the organization. The results guide and determine the appropriate
management action and priorities for managing information security risks and for implementing controls
selected to protect against these risks.
Risk assessment is fundamental to developing an ISMS that meets the requirements of ISO 27001, and
is based around
ISO27003 which covers:-
Risk assessment
Risk treatment
Management decision making
Risk re-assessment
Monitoring and reviewing of risk profile
Information security risk in the context of corporate governance
Compliance with other risk based standards and regulations
The conduct of a risk assessment ensures that:-
Countermeasures are justified on the basis of asset valuations
The organisation gains an insight into their specific risk environment.
The residual risk to information assets can be accepted
(through the process of accreditation) on an informed basis. against the 'risk appetite' of the organisation.
The analysis results in a knowledge base which can be used
to manage the impact of changes.
RISK MANAGEMENT
Once a risk has been identified, the management options are as set out below:
Mitigate. In most cases this will be
the most likely option, and involves the implementation of countermeasures to reduce the likelihood of the event, and/or
the impact.
Avoid. For high impact, high likelihood
issues one option is to avoid the problem by ceasing the activity that leads to the risk.
Transfer. Under some circumstances it
may be beneficial to transfer the risk to another party better equipped to manage it.
Accept. If the likelihood and impact are
judged to be sufficiently low, or if there genuinely is no practical means of countering the problem, then one option
is to accept it.
These options are not mutually exclusive: a mixture may be used where appropriate with, for example, a risk being mitigated
to some degree by countermeasures, a particular element of the remaining risk being transferred, and the final level of
residual risk being accepted. The process may be iterative, adjusting and reviewing different options to achieve an acceptable
level of residual risk.
Which of these ways (or which combination) an organisation decides to adopt as its risk treatment plan depends on
business requirements, and circumstances.
ONGOING ASSESSEMENT and MANAGEMENT
Identifying risks is not a one-off process. The ongoing monitoring of risk and countermeasures is vital in maintaining
effectiveness and ensuring ISO27001 certification. This can be achieved through management reviews, audits and risk reviews.
In the general case there will be one of four drivers for a change to the protection profile of a system:-
the emergence or discovery of a new threat;
the emergence or discovery of a new vulnerability
(through audit and/or exploitation);
a requirement for new technology and/or a revised
configuration to existing technology; or
a change to asset valuations.
In all cases the recommended first step is to review the significance of the changes.
Significant changes should prompt a review of the risk assessment, leading if necessary to a review of the
implemented countermeasures. The aim should always be to ensure that the implemented countermeasures are appropriate
to the risks.
