Cyber Security Risk Assessments (10 Steps to Cyber Security)
What is a cyber security risk assessment?
A cyber security risk assessment is the process of identifying, analysing and evaluating risk. It helps to ensure that the cyber security controls you choose are appropriate to the risks your organisation faces.
Without a risk assessment to inform your cyber security choices, you could waste time, effort and resources. There is little point implementing measures to defend against events that are unlikely to occur or won’t impact your organisation.
Likewise, you might underestimate or overlook risks that could cause significant damage. This is why so many best-practice frameworks, standards and laws – including the GDPR (General Data Protection Regulation) – require risk assessments to be conducted.
How do you conduct a cyber security risk assessment?
A cyber security risk assessment identifies the information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data and intellectual property). It then identifies the risks that could affect those assets.
A risk estimation and evaluation are usually performed, followed by the selection of controls to treat the identified risks.
It is essential to continually monitor and review the risk environment to detect any changes in the context of the organisation, and to maintain an overview of the complete risk management process.
What does a cyber security risk assessment include?
A typical risk assessment involves identifying the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data, intellectual property, etc.), followed by identifying the various risks that could affect those assets. A risk estimation and evaluation is usually performed, followed by the selection of controls necessary to treat the identified risks. It is important to continually monitor and review the risk environment to detect any changes in the context of the organisation, and to maintain an overview of the complete risk management process.
ISO 27001 and cyber risks
The international standard ISO/IEC 27001:2013 (ISO 27001) provides the specifications for a best-practice ISMS (information security management system) – a risk-based approach to information security risk management that addresses people, processes and technology.
Clause 6.1.2 of the Standard sets out the requirements of the information security risk assessment process. Organisations must:
- Establish and maintain specific information security risk criteria;
- Ensure that repeated risk assessments “produce consistent, valid and comparable results”;
- Identify “risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system” and identify the owners of those risks; and
- Analyse and evaluate information security risks, according to the criteria established earlier.
It is essential that organisations “retain documented information about the information security risk assessment process” so that they can demonstrate that they comply with these requirements.
They will also need to follow several steps – and create relevant documentation – as part of the information security risk treatment process.
IT Governance cyber risk assessment service
Our team of qualified cyber security advisers will provide business-driven consultation on the overall process of assessing information risk. They will offer support, guidance and advice in the following areas:
- Identifying the assets that require protection.
- Identifying relevant threats and weaknesses.
- Identifying exploitable vulnerabilities.
- Assessing the level of threat posed by threat agents.
- Determining the business impacts of risks being realised.
- Producing a security risk assessment.
- Advising on a risk acceptance threshold or level of acceptance.
- Advising on suitable control implementation.
Cyber risk assessment should be a continual activity. A comprehensive enterprise security risk assessment should be conducted at least once a year or when significant changes occur to the business, the IT estate, or legal environment to explore the risks associated with the organisation’s information systems. An enterprise security risk assessment can only give a snapshot of the risks of the information systems at a particular point in time.
Who is the cyber risk assessment service for?
A risk assessment consultancy can be performed on organisations of any size – small, medium-sized and large enterprises – where the IT infrastructure includes a combination of complex legacy systems and newer operating systems whose interoperability is not always seamless.
It is particularly useful to public-sector organisations that provide multiple services across different channels to diverse groups of users - the interchange of personal data across different platforms requires greater vigilance and methods of protection.
Risk assessment software
The risk assessment software tool vsRisk has been proven to save huge amounts of time, effort and expense when tackling complex risk assessments, Fully compliant with ISO 27001, vsRisk streamlines the risk assessment process to deliver consistent and repeatable cyber security risk assessments every time.
The latest version of vsRisk includes three new functionalities: custom acceptance criteria, a risk assessment wizard and control set synchronisation. You can also now export the asset database in order to populate an asset management system or register.
Find out more about vsRisk
Cyber Health Check
This fixed-price, three-day Cyber Health Check combines consultancy and audit with testing and vulnerability assessments to assess your cyber risk exposure. Our four-step approach will identify your actual cyber risks, audit the effectiveness of your responses to those risks, analyse your real risk exposure and then create a prioritised action plan for managing those risks in line with your business objectives.
Find out more aboout Cyber Health Check
Why use IT Governance?
IT Governance brings a wealth of experience in the cyber security and risk management domain. As part of our information security work with hundreds of private and public organisations in all industries, we have been delivering comprehensive risk assessments for more than ten years. All our consultants are qualified and experienced practitioners.