Managing Information Security Risk using Adoptech
The risk management process aims to continuously identify information security risks faced by a company, assess those risks and take actions to treat them.
For ISO 27001 and SOC 2 you are required to maintain an information security risk register that has captured known risks and details how they will be managed.
The risk management workflow within Adoptech is aligned with the internationally recognised ISO 27005 standard (information security specific version of ISO 31000).
The process includes a number of steps:
-
Risk Identification
-
Risk Assessment
-
Estimating inherent risk
-
Establish a risk treatment plan
-
Estimate the residual risk
-
Approve the assessment and risk treatment plan
-
-
Tracking risk
-
Reporting and communicating risks
-
Re-assessment of risk
-
Generate risk treatment reports
These steps all aim to reduce the likelihood or impact of potential risks as outlined below:
1. Risk identification
Start by identifying the risks that may impact your business and add them to your risk register. The types of risk you face will be unique to your firm and identifying the risks can be time consuming but we’ve made it easy!
Adoptech provides a library of over 150 risks with pre-mapped controls. Simply select from the library or add your own custom risks to the risk register.
When trying to think about risks that may impact your business, we ask clients to consider:
a) where data is held. Once you've established where the data is held, the risks faced are easier to identify, for example, if data is held in an employee's head and not documented anywhere, there is a key person risk that should be addressed.
b) from a cyber security and information security perspective, what situations would be bad for business, what are you worried about.
Each threat identified is then entered in the register as a risk scenario by including an event and an outcome, for example, “Employee installs malicious application, leading to breach of company data.”
Add risks to your register from the library or add custom risks:
The risks you select will be added to your risk register:
Note: you can edit the Risk name by selecting ‘Edit’ from the meatball menu on the RHS
2. Risk Assessment:
Now you have identified risks that may impact your business, it's time to estimate the potential impact of those risks and determine how to treat them.
-
Estimate the inherent risk:
Determine the inherent risk that each risk presents to your business. This is done by estimating:
- the likelihood of the risk occurring (scored 1 to 5)
- 1. Very unlikely to occur
- 2. Low, unlikely to occur
- 3. Medium, it is possible that it could occur, it has not occurred in the past
- 4. High, it is likely that it will happen. It has occurred in the past but not recently
- 5. Very high, it probably will occur
- the consequence to the Company if the risk were to occur (scored 1 to 5). The severity of the risk shall be assessed against business, legal, regulatory and contractual security obligations.
- 1. Minimal impact not really noticeable
- 2. Slight impact, would be felt but would not affect our operations
- 3. Impact, would affect operations but no long-term effect on turnover
- 4. Major impact, would affect turnover
- 5. Severe impact, business would be threatened
- the likelihood of the risk occurring (scored 1 to 5)
Establish a risk treatment plan
It is the responsibility of the risk owner under the guidance of the InfoSec Team to implement a risk treatment plan to reduce each risk to an acceptable level using one or more of the methods outlined below:
-
Modify (sometimes called mitigate) by applying security controls that aim to reduce the likelihood or impact of the risk.
-
Share the risk with a partner, typically an insurance company.
-
Avoid the risk by ceasing the activity or changing the circumstances that are causing the risk.
-
Retain the risk on the basis it is within your agreed tolerance levels, or on the basis that the cost to treat the risk would outweigh the benefit.
If you chose to Modify/Mitigate the risk, commonly used controls have been pre-mapped, select whether to keep those and/or add more.
If further actions are required to treat the risk add and track their completion, you can add actions, for example, you may need to enable FileVault/Bitlocker to encrypt data held on company laptops.
Estimate the residual risk
Now re-assess the potential impact of the risk by taking into consideration your risk treatment plan. For the avoidance of doubt, the estimated residual risk is a point in time assessment of risk, it must not be based on the risk that will be faced when future controls are implemented.
As an example, if you have modified/mitigated the risk of a cyber attack by implementing security awareness training, the likelihood of an attack will have been reduced. If you shared the risk of a cyber attack by taking out cyber insurance, this will reduce the consequence/impact. In both instances the residual risk score for your business will have been lowered as a result of your actions.
Ensure that actions are being undertaken and additional controls are implemented to treat risks outside tolerance levels. The residual risk score can be used to help prioritise efforts.
Approve the assessment and treatment plan
An appropriate member of the team, typically the owner of each risk, needs to sign-off that they have assessed the risk treatment plan and understand the residual risk that remains. This is especially important if the residual risk remains critical or outside normal tolerance.
Each time the risk treatment plan and assessment of risk are changed, the risk will require approval.
3. Track risks:
The owner of the risk is required to:
-
Track any actions raised and ensure they are carried out
-
Verify the controls in place to manage the risk are being carried out
4. Report and communicate risks
The risk register should be reviewed in your security committee meetings to ensure that the senior team are aware of the risks faced and where appropriate they commit resource to address those risks.
5. Re-assess the risks
The security committee meetings are also a good opportunity to review the risk environment and discuss whether risks have changed in the context of your organisation. If new risks are identified add them to the register. If the likelihood or consequence of risks have changed, update the register and approve the respective treatment plan.
It is important that this risk assessment process continues, it is fundamental to the continuous improvement of your security posture and a pre-requisite for certifications such as ISO 27001 and SOC 2.
Before re-assessing your risks and updating the risk register generate a risk report.
Generating a risk report:
Risk reports capture a summary of your risk register (current risks) and the assessments that have been undertaken. The reports can be used to demonstrate to auditors that the risk management processes is being undertaken.
1. On the Risk register page, Select Reports:
2. Or, on the Data Room page, on the Reports tab, click on +Add new and select Risk Register
If you have any questions on the risk management process, open a chat with a member of the team.