Most organisations know that performing a risk assessment is good practice. However, not all organisation actually do risk assessments, and those who do, often approach them in the wrong way. All too often, risk assessments are treated as a project that can be finished and that will be that, whereas the reality is that risk assessment and risk treatment are an ongoing process.
Risk Assessment And Risk Treatment Are a Process
Risk assessment is a process, not a one-off project. The reasons for this can be boiled down to these three points:
- Your business is constantly evolving and changing, just like the world around us – and that includes potential impacts, threats and vulnerabilities!
- Once you’ve assessed your risk, you need to treat it! Risks never cease to exist, and so neither does the need to assess and treat them.
- You need to continuously improve your entire information security management and your risk management needs to keep up.
The bottom line is that you cannot stand still. Think about it: How much is your information security management system worth if it fails to reflect the inevitable changes your business and the world surrounding it are subject to?
Minimise, And Then Minimise Some More
The ISO 27001 standard states that a risk assessment is the driving force behind the security work and that our risk assessment helps to ensure that management is on a firm footing and that the company’s needs are identified.
Having established the importance of a risk assessment, it can seem daunting to get started, but don’t be put off by the magnitude of the tasks at bay. You need to perform a risk assessment on a regular basis, but you can take some shortcuts to help you get started:
- Assets: Start by only assessing your main business processes and IT services, no other types of assets. You can always expand later.
- Threats: Divide your assets in types and identify which threats are relevant to different asset types. This way you prevent your threat catalogue from growing too long and keep it operational instead.
- Up- and downwards inheritance: Benefit from fewer impact assessments and fewer vulnerability assessments by identifying dependencies between your assets.
- High-level first: always start by assessing high-level risk. As risk assessment is a process, you can always refine and evaluate your assets in more detail later.
When all is said and done, all these steps and processes need to be maintained and that might be easier said than done. The key to doing that is overview. The worst thing you can do is keep these processes in static spreadsheets that require you to manually update and keep a close eye on each process. And an interactive tool that helps you keep an overview can drastically minimise the amount of work required to continually assess your risks – and treating them.