risk management, what is risk, what is risk management, risk management process, risk management definition

Risk Management – What is it?
Benefits to ISO 27001

What is the Key Role Risk Management Plays in Protecting our Information Assets?

We are going to explore why the focus on a risk-based approach has helped turn ISO 27001, the International Information Security Management Standard, into such a world-beater.

Before we dive in, let’s set the scene and try to define what we mean by risk and risk management.

What is ‘Risk’?

Here’s an interesting challenge. Ask 5 of your colleagues to tell you what they understand by risk, and we’ll be very surprised if you get the same answer, nor would we be surprised if some struggle to answer the question at all.

Let’s see how the international standards define risk, starting with ISO 31000 the International Standard for Risk Management – Principles and guidelines.

The Standard defines risk as the ‘effect of uncertainty on objectives’. We find this definition a little nebulous, which is probably not surprising given the universal nature of ISO 31000 and that it addresses all types of risk.

However, ISO 27000 expands on the ISO 31000 definition and comes up with something more substantial and specific i.e. ‘Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.’

Implicit in this definition is that in order for a risk to exist there must be something that we care about, in this case, information and, more specifically, the confidentiality, integrity and availability of information.

You can also see the importance of viewing risk from the perspective of achieving business objectives. If you’re a healthcare services provider, for example, and your goal is to win and maintain more clients, it’s imperative that you protect the confidentiality of any personal data.

Once you have identified that it is the confidentiality of personal data you particularly care about, you can then start to look at the threats and vulnerabilities that could lead to a breach of confidentiality of personal data.

What is Risk Management?

OK, let’s start with the ISO 31000 definition, which is the ‘coordinated activities to direct and control an organisation with regard to risk’.

To expand on this, we are looking at activities which allow us to better identify, analyse and evaluate risks and allow us to manage them proactively in order to minimise any possible damage and maximise any opportunities.

The last point is important, in that whilst risk generally has a negative association, there can be positive outcomes.

If your organisation, for example, has a well-developed risk management process in place, this can provide you with a competitive advantage viz-a-viz your competitors, e.g. evaluating whether it would be advantageous to enter a new market.

Without a robust risk management process, you could either miss the opportunity or enter the market blindly, hoping that it pays off.

Why is Risk Management Important to Information Security?

The confidentiality, integrity and availability of our information assets are threatened by a vast array of internal and external threats and there is no way we can protect ourselves against every potential threat.

In essence, risk management enables us to target our efforts and security measures where they are most needed and are going to give us the best return for our investment. This is naturally important, as none of us have unlimited resources, be that finances, manpower, competence or time.

There is also the other aspect to consider – even if we did have unlimited resources, and we apply information security controls indiscriminately, productivity would almost certainly suffer.

As per URM’s strapline, it’s all about getting the balance right and in this case, it’s about achieving the optimum trade-off between security and productivity. There really can be too much security!

The key aspect to risk management is that it enables organisations, in a world of uncertainty, to make informed decisions about which risks are considered the most urgent to address. Essentially, the ones which present the greatest danger to the most valued information assets taking into account likelihood and impact.

Why is Risk Management so Important to ISO 27001?

By adopting a risk-based approach, ISO 27001 acknowledges that organisations are all different, e.g. in size, industry sector, ownership, organisational structure, maturity, business objectives, risk appetite, culture.

Not only that, the Standard also takes account of the fact that we are all operating in a dynamic, changing environment, where some are growing and others are consolidating. We are all subject to external changes, such as regulation or legislation changes and the emergence of new competition and new opportunities.

Threats to our information assets are also changing and nowhere more so than in the Cyber World. We are constantly under attack from new scams or old scams with a new twist, all aimed at gaining unauthorised access to our information, our most valuable asset.

ISO 27001 clearly recognises that there is ‘no silver bullet’ or ‘one size that fits all’ solution to information security. As such, it does not prescribe any specific controls (just a set of 114 controls we can consider). What it does, however, is to prescribe a continual improvement management system which has risk assessment and risk treatment at its heart.

Thereby, we can all proactively implement a set of security measures which are tailored to our specific information assets and the threats to those assets, whilst at the same time allowing us to factor in things such as business objectives and risk appetites.

Having, (hopefully!) set out the importance of risk management, in our next blog we are going to address the challenges of calculating risks, and conducting risk assessments and risk treatment activities.

What is Information Security Risk?

Information security risk is simply a combination of the impact that could result from a threat compromising one of your important information assets and the likelihood of this happening.

ISO 27001 Risk Management Framework – Implement, Certify and Comply

There are several discreet stages of an ISO 27001 risk management methodology. First of all, it is important to understand the information security context of your organisation.

Once this has been achieved you can perform a risk assessment which includes the need to identify your risks, analyse them and evaluate them. You then need to determine a suitable treatment for the risks you have assessed and then implement that treatment.

It is vitally important that you do not see this as a one-off exercise. Your risk management methodology should be designed to be iterative.

This enables you to not only review the status of risks you have previously identified, taking into consideration any potential changes in context, but it also enables you to identify new risks.

ISO 27001 Risk Management – What is Risk Appetite?

Risk appetite is simply the amount and type of risk you are willing to accept or retain in order to allow business operations to proceed.

This is important because too much security can sometimes compromise your operational viability, whereas too little will reduce the confidence of your stakeholders.

Some types of organisations are willing to accept more risk than others. For example, a hedge fund manager is likely to take more risk in order to make greater profits over a short space of time, whereas a pension fund manager generally prefers a less risky steady growth approach.

ISO 27001 Risk Assessment Methodology – Risk Identification

Once you have determined the context, you can go ahead and conduct a risk assessment. The first part of a risk assessment is to identify the risks that you face. This can be broken down into three elements.

The first element is to identify your information assets. An information asset is any information that has value to you.

There are several different ways to calculate the value of an asset, but it is important that you not only consider the confidentiality needs of the information, but also the integrity and availability requirements.

More about Risk Management & ISO 27001

Training Courses

Consultancy Services

Products

About URM

Follow us on