Your company is carrying out an information security risk assessment. As a manager, what do you need to know?

If you want to safeguard your business information, you will be interested in obtaining ISO27001 certification. ISO27001 is an international standard for an Information Security Management System (ISMS). ISO27001 will help you to protect your business information from thieves, hostile attacks or accidents. Compliance with ISO27001 can also enhance the reputation of your company and open up attractive business opportunities.

In order to comply with ISO27001, your company will need to have a risk assessment carried out. You need to identify the risks to your business information before you can understand the best way to protect it.

Asset owners and their role

Information security needs cross-organisation buy-in, so a proper risk assessment will involve people in the company other than the IT specialists. Under ISO27001, the measures that form part of a risk assessment include a specific role for asset owners. The assets are the information that is of value to the company, while the asset owners are defined in the standard as “the individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets.” In practice, the asset owners are usually managers or system administrators. This book tells the asset owners in your company the information they need in order to be able to participate in a risk assessment.

Threats and vulnerabilities

Risks to information security are a matter of both threats and vulnerabilities. Vulnerabilities are security weaknesses in the existing systems. Threats have the potential to harm your information security, either as a result of accidently encountering weaknesses in your security, or as part of a deliberate scheme to take advantage of those weaknesses. Nothing can jeopardise the security of your business information unless it has a point of vulnerability to exploit. Differentiating between threats and vulnerabilities is therefore vital for evaluating information risk. The asset owner will be responsible for identifying the threats and vulnerabilities relating to the asset.

Controls

Controls are the counter-measures, or safeguards, designed to reduce risks. Asset owners will be responsible for identifying the controls regarding the asset that are currently in place. Asset owners may also be expected to identify alternative or additional controls. You can only move on to selecting the appropriate controls after you have completed the risk assessment.

Benefits to business include:

• Deliver guidance across the board
  A risk assessment needs the participation of asset owners throughout the organisation, which means they all have to be aware of the fundamental principles involved. This book will give asset owners the guidance they require.
• Target the controls
  The guidance provided to asset owners in this book will help your company establish the right controls for managing the risks.
• Spend money wisely
  Sometimes companies have adopted controls that are in excess of their requirements. Once you have carried out a risk assessment, you can ensure that the controls your business has in place will be making the best possible use of your resources.
• Profit from compliance
  Drawing on the guidance for asset owners offered in this book, your business can move a step closer towards ISO27001 certification. If your Information Security Management System has achieved ISO27001 certification, this can give your business a head-start and open up new opportunities.

As the authors observe, “Every organisation faces numerous information-related risks, and most will want to develop cost-effective methodologies for ensuring the confidentiality, integrity and availability of their organisation’s information.”

Buy this book so your company’s key people are well primed for your information security risk assessment