What is Risk Assessment?
Every day we all conduct numerous risk assessments probably without even realising that we are doing so. All of these involve making assessments about the possible threats, the potential impacts and the costs involved in taking the possible precautions.
When we are talking about the security of information, there are many people who may have an interest in protecting the data, each of whom may have different views on the risks and what would represent the appropriate controls. Ultimately the best way to reach agreement is if the organisation documents and agrees its views on the risks to the information and the protection it should put in place against those risks, i.e. conducting a risk assessment.
Why carry out a risk assessment?
As documented in ISO 27001, performing a sound risk assessment is critical to establishing an effective Information Security Management System (ISMS). The risk assessment should provide the framework for establishing policy guidelines and identifying the necessary controls and procedures that the organisation needs to implement.
The risk assessment is necessary to ensure:
• The assessment of threats, vulnerabilities and potential impacts has been conducted in a comprehensive and objective manner.
• The conclusions reached about the requirements for security can be agreed by all parties involved.
• There is a common basis on which to discuss the need or otherwise for particular countermeasures and agreed by all stakeholders.
• The results have been documented in such a manner that they can be shared with people, such as external auditors, who have not been involved in the original assessment.
How can P2 help?
P2’s has extensive experience, gained from conducting hundreds of risk assessments, in both the Private and Public Sectors and can help conduct risk assessments quickly and effectively.
P2’s team includes the consultant who led the work on developing CRAMM, which was the UK Government’s preferredapproach to risk assessment, and therefore has knowledge not only of how to complete a risk assessment, but also the theories behind the risk assessment methods. We also have experience of a wide range of other risk assessment methods including HMT IS1+2, ISO 27005, RSDOPS and others.
P2 has put together bespoke training courses on how to conduct risk assessments and foundation courses in information security.