Information Security Risk Assessment & Risk Treatment
Information Security Risk assessment and Risk Treatment involves the process of identifying, prioritising and managing the risks to information that an organisation faces
In ISO 27001, this is a key element in developing the Statement of Applicability
Cambridge Risk Solutions can assist with each stage of this process, bringing the benefit of an objective viewpoint and years of experience.
Identifying Risks
There are numerous sources of information on risks, including:
- Previous incident and events;
- Events, incidents and updates reported by, for example, National Cyber Security Centre (NCSC) and others
- Anecdotal knowledge;
- The “UK National Risk Register”;
- The Information Commissioner’s Office (ICO);
- Specialist journals, research and whitepapers;
- Annual Reports and Accounts from companies in your sector; and
- Media reports of incidents.
Prioritising Risks
Having identified the risk to your organisation, these risks need to be assessed in the context of:
- the strategy and objectives of your business;
- the internal and external issues facing your business;
- the needs of your interested parties, such as clients, staff and other stakeholders;
- the legal and regulatory landscape; and
- your organisational risk appetite.
Risks should then be treated accordingly. There are 4 fundamental responses to each risk, known as the “4 T’s”:
- Tolerate the risk as it is;
- Transfer the risk ie buy insurance to mitigate the financial losses
- Treat the risk ie take practical steps to reduce the likelihood of the event occurring and/or mitigate the impact if it should occur; or
- Terminate the activity that gives rise to the risk.
The budget available for risk management will never be sufficient to transfer or treat all the risks that face an organisation.
Senior Management must therefore prioritise which risks they will actively address; remaining risks must either be tolerated or terminated.
Managing Risks
For those considering ISO 27001, the standard lists a number of ‘control objectives and controls’ for information security risks, and is fairly prescriptive in that it requires that the risk treatment process should ensure that the controls are listed within a Statement of Applicability (SoA).
The Statement of Applicability should include details of risk controls, as well as reasons for inclusion or exclusion from any of the controls.
We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.
How Can Cambridge Risk Solutions Help?
Cambridge Risk Solutions provides a range of services to assist with the implementation of Information Security, and have an experienced ISO 27001 Lead Auditor who can assist with readiness for certification to ISO 27001:2022
View some case studies of recent Information Security and ISO 27001 projects.