Implementation of an Information Security Risk Management
Identify assets and risks, derive and implement measures.
With more than 10 years of experience ...
... we support you in:
- Designing and implementing an effective methodology for dealing with information security risks.
- Conducting and moderating workshops to identify and assess the relevant risks.
- Definition and identification of appropriate measures.
- Optionally, advice and support in the selection of a suitable risk management or GRC tool (= governance, risk and compliance).
The steps to your InfoSec risk management
Risk management process and governance
Before we start recording your risks, we first define the necessary framework conditions. These include:
- Definition of the risk appetite, as well as the exact risk methodology (protection needs or risk levels, aspects to be considered in the risk assessment, ...).
- Define and assign responsibility for the (regular) implementation of the risk management process.
- Define and assign responsibility for (residual) risks.
- Establishing the framework conditions for the acceptance of risks.
- Establishment of necessary communication channels and interfaces ( for example) to the company-wide risk management or to other risk management systems.
Risk management process and governance
"Creating the framework conditions"Determining the protection needs
When determining the protection needs, we record all 'primary assets' (= processes and information) in the scope of the ISMS and evaluate them according to the protection needs
- Availability,
- confidentiality and
- integrity.
Based on the primary assets, we identify the necessary resources (= applications, systems, networks, people, buildings / rooms or other information providers) that are required to operate the processes or handle the information and also assess their protection needs.
Determining the protection needs
'Identify assets'Detailed risk assessment
A detailed risk assessment is carried out for critical assets. This includes a more in-depth analysis of possible damage scenarios, including an assessment of their likelihood of occurrence and the extent of damage in the event of an actual occurrence.
As a detailed, scenario-based risk assessment is only carried out for critical assets, it can be ensured that in each case the focus is on the relevant assets, while still pursuing a pragmatic approach.
Detailed risk assessment
'Identify risks'Risk management and implementation tracking
Depending on the determined risk level, individual technical and / or organisational measures must be defined in order to reduce the risk to an appropriate level (according to the defined framework for risk acceptance) or the (residual) risks can be formally carried by the person responsible for the risk.
In addition to the definition of measures, this phase also deals in particular with the follow-up of the defined measures and their timely and effective implementation.
Risk management and implementation tracking
'Eliminate risks'Success factors in risk management
In risk management for information security (InfoSec risk management), common standards such as ISO 27005 or ISO 31000, as well as best practices and organisation-specific circumstances play a major role. The various risk management systems at the detailed level (IT or information security) should be integrated into the overall picture of company-wide risk management (enterprise risk management).
Information security risk management is a central and important building block for the operation of an effective ISMS. It is a tool for selecting, prioritising and establishing appropriate measures to address identified threats and vulnerabilities.
In addition to various standard requirements, InfoSec risk management must above all be able to identify the really relevant risks from among the multitude of vulnerabilities and threats. This means that appropriate (attractive from the perspective of the security levels thereby achieved) and proportionate (attractive from an economic perspective) measures must be defined and implemented for the identified risks.
Our goal is to work with you to implement a method that is both pragmatic and effective. In doing so, we rely on proven standards and best practices such as ISO 27001, ISO 27005, BSI Standard 200-3, ISO 31000 and, above all, our experience and intuition of what is essential.