Information security is about identifying, mitigating and managing risks that are relevant for the information assts. Risk assessment is the first necessary step to understanding risks by carrying out a comprehensive risk identification and evaluation of an organisation’s information security risks.

The output of such an activity is essential for managing business as the risks involved can influence significantly the confidentiality, integrity, and availability of information assets and may be critical for maintaining a competitive edge, financial stability, legal compliance, and a strong commercial image.

As such, risk assessment can help decision makers to:

  • Assess organisational practices and installed technology base;
  • Enforce information protection based on potential impact on the organisation;
  • Focus security activities on what is important. Measures that are associated with acceptable risks can be abandoned;
  • Ensure that implemented measures and expenditure are fully commensurate with the risks to which the organisation is exposed. In this way a balance between the costs of addressing a risk and the benefits derived from avoiding the negative impact can be maintained.

During a risk assessment, an organisation performs activities to:
a) identify information security risks,
b) evaluate the risks to determine priorities and (c) define how to mitigate the risks

Information security risk assessment, though, is only the first step towards information security risk management, which is the ongoing process of identifying risks and implementing plans to address them.

Clearly, risk assessment itself provides a direction for an organisation’s information security activities; it does not necessarily lead to meaningful improvement unless an implementation of measures has taken place. As in any other management discipline, implementing one part of the management life-cycle alone does not bring the desired effects.

No evaluation, no matter how detailed or how expert, will improve the security posture unless the organisation follows through with implementation. Besides risk assessment, effective risk management includes the following steps:

  • Plan how to implement the protection strategy and risk mitigation plans from the evaluation by developing detailed action plans. This activity can include a detailed cost-benefit analysis of various strategies and actions.
  • Implement the selected detailed action plans.
  • Monitor the plans for progress and effectiveness. This activity includes monitoring any changes in risk levels.
  • Control variations in plan execution by taking appropriate corrective actions.

Our next installment – IT Risk & Security : Implementation Parametres…

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}


Green Apple IT, IT Compliance Consulting, ITIL Consulting

You may also like

Please confirm