Every organisation faces security risks and must therefore implement robust cyber security controls. Cyber security risk assessments are used to assess those controls to ensure they are appropriate. Today then we look more closely at these important aspects of any cyber security strategy.
The importance of risk assessments
Without a risk assessment, you will likely waste time and effort. Your cyber security practices and processes must be informed, otherwise you may implement unnecessary measures. There is little point in guarding against incidents that are unlikely to occur or which will not have a large impact upon your organisation.
If you do not complete regular assessments, you may also miss potential risks that could be significant. This is exactly why best-practice frameworks, standards and laws require risk assessments to be carried out.
Typically, risk assessments allow you to identify the information assets that could be affected by a cyber-attack. These may include hardware, systems and laptops, as well as data. Once these potential targets are known, it is then time to focus upon the risks that could affect them. At this point a risk estimation and evaluation is performed, which is then followed by selecting the controls required to remedy any identified risks. It is worth noting that the ‘risk environment’ must be monitored continuously thereafter, so that any changes to it are discovered.
How to complete a risk assessment
Cyber security risk assessments are typically carried out once a year, with the following steps taken:
- Assets identified and listed
- Risks, threats and vulnerabilities identified and logged
- Security controls are evaluated and mapped out against risks
- Evaluation is completed to assess incident likelihood and the potential impact
- Cyber security risks are then prioritised and controls recommended
- Outcomes are recorded for future reference
It is important to note that a cyber security risk assessment typically looks at cyber threats, meaning that risks such as fire and flooding are out of scope. These would, however, be included in a general risk assessment. It is also worth noting that cyber security risk assessments can help to create a more risk-aware culture within an organisation.
When approaching cyber security risk assessments, you can break the process down into 5 key areas:
- Risk identification
- Risk analysis
- Evaluation of risks
Some other tips to consider are as follows:
- Focus your assessments on specific aspects of, or departments within, the business (trying to complete a full assessment can be too big of an ask)
- Gain the full support of all stakeholders whose activities are within the scope of your assessment
- All those involved should familiarise themselves with the terminology used in a risk assessment such as likelihood and impact
- Before a risk assessment, it is worth reviewing standards such as ISO/IEC 27001 and frameworks like NIST SP 800-37 and ISO/IEC TS 27110
If you would like to speak in more detail about risk assessments then we would love to hear from you.