How do you perform a risk assessment, and what do you do with the results? Find out the answers to some common risk assessment questions in Part 1 of our two-part series!
Why should you perform a risk assessment?
Performing risk assessments regularly is a fundamental requirement of most security frameworks. A risk assessment should provide you with information that allows you to direct your limited security resources effectively.
Take a look at the following statements from ISO 27001 and SOC 2:
ISO 27001 Clause 6.1.2: “The organization shall define and apply an information security risk assessment process that… establishes and maintains information security risk criteria… identifies the information security risks… analyses the information security risks… and evaluates the information security risks.”
SOC 2 Criteria CC3.1: COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
The goal is not to meet a compliance requirement, but to identify legitimate risks to the organization, rank them, and treat them. Next, we’ll discuss what a risk assessment practically looks like.
Who should be involved?
Top-level management should perform the risk assessment. The higher level of manager you include, the more valuable this process will be.
C-level executives, directors, and other managers should be performing the risk assessment, evaluating risk, and creating action plans. Again, the goal is to identify legitimate risks at an organization-wide level. Developers, HR personnel, and other employees that work at a tactical level should be brought in as needed.
How often should you assess risk?
Management should be assessing risk annually at a minimum. We recommend that management perform a full risk assessment once a year, with quarterly follow-ups.
Once risk treatment plans have been developed, the teams responsible for remediation should meet regularly and report back up to management.
How do you identify risks?
Management should consider a wide range of categories when identifying risks. Below are some of the most common risk categories and examples of each:
- Organizational: Lack of information security talent; high turnover in the technology department
- Technical: Outdated infrastructure; lack of mobile device management
- Legislative: Emerging privacy laws; international expansion
- Customers: Increased security requirements; high-value customer retention
- Physical: Fire; natural disasters
An asset-based risk assessment is one common approach in which one ranks assets by criticality. Next, management determines the threats and vulnerabilities that affect each asset. From this point, management should be able to determine the biggest risks for each asset.
How do you rank risks?
Risk levels are based on the potential impact and likelihood, should the risk materialize. We typically measure impact on a scale of 1-5, or from “negligible” to “near-fatal”.
Similarly, we rank likelihood from 1-5, or from “rare” to “almost certain”. To get the final risk score, multiply the impact and likelihood scores. This initial risk score serves as your guide for risk prioritization and are based on NIST 800-30.
In this blog, we looked at how to perform the risk assessment, including the why, who, and when. In Part 2, we’ll dive into what to do with risks once they have been identified, as well as what documentation you need to support your risk management program!