Cyber Security Risk Assessments (10 Steps to Cyber Security)

On this page

Why carry out a cyber security risk assessment?
What does a cyber security risk assessment include?
Why use IT Governance?
How much will it cost?

Why carry out a cyber security risk assessment?

Today’s attacks are multi-level and multi-channel by default. According to UK Government research, 74% of small firms in the UK experienced a cyber security breach last year, and 90% of large firms were also targeted. Some incidents caused millions in damages.

A cyber security risk assessment is necessary to identify the gaps in your organisation’s critical risk areas and to determine actions to close those gaps. It will also ensure that you invest time and money in the right areas and do not waste resources.

HMG’s Ten Steps Approach

Our risk assessment takes into account the government's cyber security guidance for business (published by the Department for Business, Innovation & Skills (BIS) and CESG), which suggests a ten-step approach to cyber security.

ISO 27001 and cyber risks

ISO/IEC 27001 is the international standard for implementing an information security management system (ISMS). ISO 27001 is heavily focused on risk-based planning to ensure that the identified information risks (including cyber risks) are appropriately managed according to the threats and the nature of those threats.

ISO 27001 and Cyber Essentials

Even if you have implemented an ISO 27001-compliant information security management system (ISMS), you may want to check if your cyber security hygiene is up to standard with the UK government’s guidelines. The government’s Cyber Essentials scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security. Click here for more information >>

What does a cyber security risk assessment include?

A typical risk assessment involves identifying the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data, intellectual property, etc.), followed by identifying the various risks that could affect those assets. A risk estimation and evaluation is usually performed, followed by the selection of controls necessary to treat the identified risks. It is important to continually monitor and review the risk environment to detect any changes in the context of the organisation, and to maintain an overview of the complete risk management process.

Cyber Health Check

This fixed-price, three-day Cyber Health Check combines consultancy and audit with testing and vulnerability assessments to assess your cyber risk exposure. Our four-step approach will identify your actual cyber risks, audit the effectiveness of your responses to those risks, analyse your real risk exposure and then create a prioritised action plan for managing those risks in line with your business objectives. More information

Ten Steps Risk Assessment

Our consultancy team will examine each of the ten risk areas (described below) to identify the strengths and weaknesses of your current security posture. You will receive a consolidated, tailored and immediately usable action plan that will help you close the gap between recognised good practice and what you are actually doing. This is a bespoke service and we can tailor our service to meet your timescale and budget requirements. We focus on quality and results, while offering competitive prices.

The ten risk areas that will be examined are:

• Board-led information risk management regime
  Do you have an effective risk governance structure, in which your risk appetite and selected controls are aligned? Do you have appropriate information risk policies and adequate cyber insurance?
• Secure home and mobile working
  Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place? Are you protecting data both in transit and at rest?
• User education and awareness
  Do you have acceptable use policies covering staff use of systems and equipment? Do you have a relevant staff training programme? Do you have a method of maintaining user awareness of cyber risks?
• User privilege management
  Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts? Do you monitor user activity, and control access to activity and audit logs?
• Removable media controls
  Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems?
• Activity monitoring
  Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyse network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities?
• Secure configurations
  Do you have a technical vulnerability patching programme in place and is it up to date? Do you maintain a secure configuration for all ICT devices? Do you have an asset inventory of authorised devices and do you have a defined baseline build for all devices?
• Malware protection
  Do you have an appropriate anti-malware policy and practices that are effective against likely threats? Do you continuously scan the network and attachments for malware?
• Network security
  Do you protect your networks against internal and external attacks with firewalls and penetration testing? Do you filter out unauthorised or malicious content? Do you monitor and test security controls?
• Incident management
  Do you have an incident response and disaster recovery plan? Is it tested for readily identifiable compromise scenarios? Do you have an incident forensic capability and do you know how to report cyber incidents?

Cyber risk assessment software

With vsRisk™, information security risk assessments have never been faster, simpler or easier. vsRisk is packed with powerful features, giving you full control of the risk assessment process, and delivers streamlined, consistent and repeatable cyber security risk assessments. Including a prepopulated sample risk assessment, vsRisk is trusted by leading risk practitioners as the ultimate cyber security risk assessment tool. More information

Why use IT Governance?

IT Governance brings a wealth of experience in the cyber security and risk management domain. As part of our information security work with hundreds of private and public organisations in all industries, we have been delivering comprehensive risk assessments for more than ten years. All our consultants are qualified and experienced practitioners.

Find out more about the current cyber threat landscape >>

Call us on +44 (0)845 070 1750 today or email servicecentre@itgovernance.co.uk for a no-obligation quote or to arrange a risk assessment.