NII provides Information Security Risk Management consulting services for managing and mitigating the risks to the organization.
Assessing information security risks is one element of a broader set of risk management activities. Other elements include establishing a central management focal point, implementing appropriate policies and related controls, promoting awareness, and monitoring and evaluating policy and control effectiveness.
Benefits of a Risk Assessment exercise
Some of the benefits of carrying out a Risk Assessment exercise are as follows:
- Review Information Security Policy and Network Security Architecture and advise on and agree scope of the Information Security Management System
- Agree control objectives (Statement of Applicability)
- Review controls (interview, observation, inspection)
- Information Security Management status report and findings
- Final report with recommendations for improvement and options for implementation of ISO 27001.
- Implement the recommendations to bridge the identified gaps
As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. Regardless of the types of risk being considered, all NII risk assessments generally include the following elements
- Identifying threats that could harm and, thus, adversely affect critical operations and assets
- Estimating the likelihood that such threats will materialize based on historical information and judgment of knowledgeable individuals
- Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important
- Estimating for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat materializes, including recovery costs
- Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls
- Documenting the results and developing an action plan