Information Risk Management Approach

The planned systematic approach to information security risk management is essential to determine organizational expectations regarding information security requirements and to develop an effective information security management system (ISMS). This approach should consider for the organization´s environment, and specifically should be aligned with overall enterprise risk management. Security efforts should resolve risks in an effective and timely manner where and when they are required. Information security risk management should be an integral part of all information security management tasks & activities and should be enforced both to the implementation and the ongoing continuous operation of an ISMS.


Risk Management Considerations

Information security risk management needs to be a continual process. The process should establish an organizational context covering both the external and internal context issues, assess the risks and mitigate the risks using a risk treatment plan to implement the recommendations and decisions. Risk management analyses what can occur and what the possible results or consequences could be, before evaluating what needs to be done and when to reduce the risk to an acceptable or tolerable level.

Information security risk management needs to significantly support the following:

Information Risks being identified
Risks being analyzed in terms of their consequences to the business and the probability of their occurrence
The probability and consequences of these risks being communicated and understood
The priority level for risk mitigation being established
The priority level for actions to reduce risks occurring
Stakeholders  involved when risk management decisions are made and kept informed of the risk
management status
The effectiveness of risk treatment monitoring
Risks and the risk management process being monitored and reviewed regularly
The information  collected to improve the risk management approach
Managers and staff being trained about the risks and the actions taken to treat them
The information security risk management process is applicable to the entire organization, any discrete part of the organization (for example a department, a physical location, a service), any information system, currently existing or to be planned or particular aspects of control (for example business continuity planning).

Information Security risk management pro
Information security risk management iterative process 

As Figure above illustrates, the information security risk management process is iterative for risk assessment and risk treatment activities. An iterative approach for performing risk assessment increases depth and detail of the assessment at each iteration. The iterative approach provides a good balance between reducing the time and effort consumed in identifying controls, while still ensuring that high risks are accurately assessed. The context is established first and foremost. Then a risk assessment is performed. If this renders adequate information to effectively identify the actions required to modify the risks to a tolerable level then the task is complete and the risk treatment follows. If the information is inadequate, another iteration of the risk assessment with revised context ( risk evaluation criteria, risk acceptance criteria or impact criteria) will be done,  on limited parts of the total scope (see Figure above, Risk Decision Point 1). The effectiveness of the risk mitigation depends on the outcome of the risk assessment. It must be borne in mind that the risk treatment involves a cyclical process of:

• assessing a risk treatment• determining whether residual risk levels are tolerable

• generating a new risk treatment if risk levels are not tolerable and

• assessing the effectiveness of that risk treatment

It is likely that the risk mitigation will not immediately lead to a tolerable level of residual risk. In this scenario, another iteration of the risk assessment with changed context parameters ( risk assessment, risk acceptance or impact criteria), if necessary, may be required, followed by further risk treatment (see Figure above, Risk Decision Point 2).

The risk tolerance activity needs to ensure that residual risks are explicitly accepted by the managers of the company. This is specifically significant in a scenario where the implementation of controls is omitted or postponed, e.g. due to cost factors. During the whole information security risk management process it is vitally important that risks and their treatment is communicated to the earmarked managers and responsible operational team. Even before the mitigation of the risks, information about identified risks can be very valuable to manage risk related incidents and can help to minimize potential damage. Awareness by managers and staff of the risks, the nature of the controls required to mitigate the risks and the areas of concern to the company assist in dealing with incidents and unexpected events in an utmost effective manner.

The detailed outcome of every activity of the information security risk management process and from the two risk decision points must be documented.ISO 27001 specifies that the controls deployed within the scope, boundaries, and context of the ISMS need to be risk-based. The application of a robust information security risk management process can fulfill this requirement.


PDCA approach to information security Risk management

There are numerous approaches by which the process can be successfully implemented in a company. The organization should use whichever approach best suits their circumstances for each specific application of the process. In an ISMS, establishing the context, risk assessment, developing the risk treatment plan and risk acceptance are necessarily part of the “plan” phase. In the “do” phase of the ISMS, the actions and controls required to reduce the risk to tolerable level are implemented according to the risk treatment plan. In the “check” phase of the ISMS, respective managers will identify the need for revisions of the risk assessment and risk treatment in the light of incidents and changes in circumstances. In the ”act” phase, any actions required, including a further application of the information security risk management process, are thus performed.

The following table captures a summary of the information security risk management activities relevant to the 04phases of the ISMS process:

Information Security Risk management PDC

Risk management is the backbone of information security. It is the mainstay of the information security management system framework. Only the organizations who follow the cardinal rules of robust information security risk management, survive. The rest actually "Rest in Peace" (RIP). Compromise on time, resources, and learning is the key vulnerability that annihilates an entity as if it never existed in the first place. 

A Comprehensive Checklist on Information security risk management system is prepared by industry expert and Information security risk management Principal Auditors & Lead Instructors. This Checklist on Risk Management in information security is useful for career professional, Organizations, consultants,  designated risk owners, internal auditors and lead auditors. To obtain a copy of the checklist on information security risk management, click the button below:-

ISO 27001 checklist - ISO 27001 audit ch