Risk Assessment for Asset Owners

Risk Assessment for Asset Owners

by Alan Calder, Steve Watkins
     
 

Your company is carrying out an information security risk assessment. As a manager, what do you need to know?

If you want to safeguard your business information, you will be interested in obtaining ISO27001 certification. ISO27001 is an international standard for an Information Security Management System (ISMS). ISO27001 will help you to

…  See more details below

Overview

Your company is carrying out an information security risk assessment. As a manager, what do you need to know?

If you want to safeguard your business information, you will be interested in obtaining ISO27001 certification. ISO27001 is an international standard for an Information Security Management System (ISMS). ISO27001 will help you to protect your business information from thieves, hostile attacks or accidents. Compliance with ISO27001 can also enhance the reputation of your company and open up attractive business opportunities.

In order to comply with ISO27001, your company will need to have a risk assessment carried out. You need to identify the risks to your business information before you can understand the best way to protect it.

Asset owners and their role

Information security needs cross-organisation buy-in, so a proper risk assessment will involve people in the company other than the IT specialists. Under ISO27001, the measures that form part of a risk assessment include a specific role for asset owners. The assets are the information that is of value to the company, while the asset owners are defined in the standard as “the individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets.” In practice, the asset owners are usually managers or system administrators. This book tells the asset owners in your company the information they need in order to be able to participate in a risk assessment.

Threats and vulnerabilities

Risks to information security are a matter of both threats and vulnerabilities. Vulnerabilities are security weaknesses in the existing systems. Threats have the potential to harm your information security, either as a result of accidently encountering weaknesses in your security, or as part of a deliberate scheme to take advantage of those weaknesses. Nothing can jeopardise the security of your business information unless it has a point of vulnerability to exploit. Differentiating between threats and vulnerabilities is therefore vital for evaluating information risk. The asset owner will be responsible for identifying the threats and vulnerabilities relating to the asset.

Controls

Controls are the counter-measures, or safeguards, designed to reduce risks. Asset owners will be responsible for identifying the controls regarding the asset that are currently in place. Asset owners may also be expected to identify alternative or additional controls. You can only move on to selecting the appropriate controls after you have completed the risk assessment.

Benefits to business include:

  • Deliver guidance across the board
    A risk assessment needs the participation of asset owners throughout the organisation, which means they all have to be aware of the fundamental principles involved. This book will give asset owners the guidance they require.
  • Target the controls
    The guidance provided to asset owners in this book will help your company establish the right controls for managing the risks.
  • Spend money wisely
    Sometimes companies have adopted controls that are in excess of their requirements. Once you have carried out a risk assessment, you can ensure that the controls your business has in place will be making the best possible use of your resources.
  • Profit from compliance
    Drawing on the guidance for asset owners offered in this book, your business can move a step closer towards ISO27001 certification. If your Information Security Management System has achieved ISO27001 certification, this can give your business a head-start and open up new opportunities.

As the authors observe, “Every organisation faces numerous information-related risks, and most will want to develop cost-effective methodologies for ensuring the confidentiality, integrity and availability of their organisation’s information.”

Buy this book so your company’s key people are well primed for your information security risk assessment

Read More

Product Details

ISBN-13:
9781849281232
Publisher:
IT Governance Ltd
Publication date:
05/01/2007
Sold by:
Barnes & Noble
Format:
NOOK Book
Pages:
46
File size:
265 KB

Meet the Author

Steve G Watkins leads the consultancy and training services of IT Governance Ltd. In his various roles in both the public and private sectors he has been responsible for most support disciplines. He has over 20 years’ experience of managing integrated management systems, and is a lead auditor for ISO27001 and ISO9000. He is now an ISMS Technical Expert for UKAS, and provides them with advice for their assessments of certification bodies offering certification to ISO27001.

Alan Calder is the Founder and Executive Chairman of IT Governance Ltd, an information, advice and consultancy firm that helps company boards tackle IT governance, risk management, compliance and information security issues. He has many years of senior management experience in the private and public sectors.

Customer Reviews

Average Review:

Write a Review

and post it to your social network

     

Most Helpful Customer Reviews

See all customer reviews >