There are a lot of companies, the smaller ones which have tried to apply their risk assessment tools as a part and parcel of their ISO implementation project but unfortunately, the result is that it takes too much money and time with very little effect. Firstly, the companies need to know what actually risk assessment is. It is a process during which a company should recognize its information security risks and also determine their impact and likelihood to hurt them. In layman's terms, a company should always be able to identify its potential problems with required information on the solutions too. The main purpose of risk assessment is to find out the controls that are needed to decrease the risk of the company.
How is risk assessment carried out?
Well, risk assessment is usually carried out by evaluating and identifying the assets, the threats and the vulnerabilities. An asset can be anything which offers value to the organization, software, hardware, people, data and infrastructure. A vulnerability is a kind of weakness in an asset, control, process etc that could be harmed by the threat. A good example of a threat can be the lack of an anti-virus software and a directly related threat is a virus.
Where do you get the methodology and catalogues?
If you're utilizing the services of a consultant, he should provide those free catalogues which are available on the internet or else you just need to do a research on Google. The methodology isn't available for free of cost but you could use some other websites by selling the methodology. This entire process could take less time and money than purchasing a risk assessment tool and knowing how to use it.
What is the process of risk assessment?
A proper methodology usually contains a method for recognizing threats, assets and other vulnerabilities for making the impacts, likelihoods and method for calculating and computing the risk. The catalogues should contain at least 30 vulnerabilities and threats but that might be just too much for the smaller companies. Here are some basic steps for treatment and assessment.
- Define and document the entire methodology and distribute it among the asset owners in the company
- Organize interviews with each and every owner of assets and during the interview you should identify the assets and other associated vulnerabilities. Next, you should ask them to recognize the impact and likelihood if the specific risks might occur
- Combine the data in a spreadsheet and compute the risks and indicate the risks which aren't acceptable
- For all the risk which isn't acceptable, choose one or more controls and calculate the new level of risk which could be under control and which could be implemented
Therefore, if you're wondering about the ways in which you can go for risk assessment, you can take into account the points mentioned above. Without the right kind of risk assessment, you won't be able to get the right idea about your business.