We’re getting more and more demand for Cyber Security Risk Assessments these days. What are they and what’s involved?
Very simply, a Risk Assessment helps an organization to:
- Identify information assets that must be protected
- Evaluate threats to those information assets
- Create a plan for addressing those risks
One of the first steps is to define the risk evaluation criteria. The risk assessment method described here is based on ISO 27005.
Next, identifying scope and boundaries: which assets are most important to the organization’s mission and goals, or are required by regulatory, legislative reasons, or industry standards? Other components of the scope boundaries will be organizational, geographical, and technical in nature.
Then, an inventory of the assets is compiled, across these categories: business processes, information, technologies, facilities, and personnel. The owner of the asset is identified.
An assessment is performed across the 12 ISO 27002 Domains and 133 ISO 27002 controls to identify the policy, personnel, and process vulnerabilities related to the ISO 27002 controls.
An assessment is performed against the assets that have been inventoried, focusing on the full life-cycle use for each asset. The goal again, is to identify the policy, personnel and process vulnerabilities associated with the identified asset.
A technical vulnerability assessment is then performed across the assets that have been inventoried.
A risk analysis and rating is then undertaken to pair the vulnerability found with applicable threat. Current controls to mitigate that risk will be identified, and then the risk is scored by its impact and probability of occurring, and then prioritized.
A risk treatment plan and remediation roadmap is then prepared.
Risk management processes should be cyclical and repeatable. At least the first time through, a risk assessment is usually done via an expert-led, facilitated process.
Feedback from most of our clients that have done a Cyber Security Risk Assessment with us has been that they find the entire experience very educating and that they learn a lot about their own organization by going through the process!
Nancy Sykora
Sr. Account Executive
