Information security risk assessments are an integral part of managing information security. Unfortunately, it is not uncommon for businesses to consider risk assessment as something they need to get over with in order to meet certain requirements.
Those requirements could come from external stakeholders e.g. legislation, partners, customer contracts etc. Or they could be self-imposed by the need to comply with ISO 27001 (Information Security Management Systems) and/or ISO 27005 (Information Security Risk Management)
What typically happens is that the company will assess its risk, write up a nice looking report.... and that's the end it of it. The report sits in a drawer or on a shelf collecting dust until next year or the next audit.
This is as mistake. Assessing risk is not a project that can be closed down after completion with a check mark. It is an ongoing process.
Why? Here are 3 good reasons why assessing risk is a process, not a project:
Your business is changing constantly and so is the world around it, threats and vulnerabilities included
After risk assessment comes risk treatment. Treating risks never stops - neither does assessing them
Your entire information security management needs to be continuously improved. So does your risk management
The point is that standing still is not an option. You should assess your business' risk with regular intervals because it makes sense for your business. Think about it this way: How much is your information security management system worth if it fails to reflect the inevitable changes your business and the world surrounding it are subjected to?
The good news
Though it sounds like a tedious and time consuming task, it does not necessarily have to be the sheer magnitude of it that keeps you from performing your risk assessment on a regular basis.
There are, in fact, some shortcuts you can use to save valuable time when assessing your risk:
- Not all assets - start by just assessing your main business processes. Not any other type of asset - and certainly not everything with an ip number. You can always expand the scope later
- Not all threats - prevent your threat catalogue from growing too long to be operational. Divide your assets in types and identify which threats are relevant to different asset types
- Up- and downwards inheritance - identify dependencies between your assets and benefit from fewer impact assessments and fewer vulnerabilities assessments
- High level first - assess risk at high level first. Later, you will have plenty of opportunity to refine and evaluate your assets in more detail