The 2014 Information Risk Maturity Index from Iron Mountain and PwC revealed that firms in the UK have fallen behind their European counterparts when it comes to managing and responding to information risk.
The annual index is based on a study of 1,800 companies of different sizes, and measures how prepared they are to address key information risk trends against a maximum score of 100.
The average Information Risk Maturity Index score is 65.7 for the enterprise group (up to 100,000 employees) and 55.3 for the mid-market (250-2500 employees). In North America, large organisations score 65.7 on average, while the mid-market scores 54.5 on average; the results for Europe come in at 66.3 for enterprises and 56.1 for mid-market.
UK mid-market firms score 55.9, two points below the Europe average and five points below the leading European country, Hungary, which had a score of 60.2.
Using ISO27001 to manage information risks
With the proliferation of data breaches, managing risk effectively will become a core competence for any organisation.
Carrying out an information security risk assessment is at the heart of information risk management.
Using a best practice approach such as the information security management standard ISO27001 can help ensure the risk assessment process is effective and reflects business needs. Moreover, the assessment and management of information security risks is at the core of the ISO27001 approach.
ISO27001:2013 offers more flexibility in terms of the information risk assessment methodology than the older version, ISO27001:2005, and has also introduced a new concept: the risk owner (“person or entity with the accountability and authority to manage a risk” – ISO 27000:2014). The previous version of ISO27001 did not mandate risk owners but rather asset owners.
According to Steve Watkins, director at IT Governance, “ISO27001:2013 offers the opportunity to utilise an approach that means operational managers can really get involved and own the challenge. Adopting a method that non-IS executives will adapt to relatively easily is more likely to result in those same people coming to the IS function with prompts for updates and reviews as they better understand the approach, how it seamlessly links with the corporate risk assessment, and that the ‘reward’ is more appropriately aligned to the time and effort required.”
The asset-based risk assessment approach mandated by the 2005 version of ISO27001 is still widely regarded as best practice, and presents a robust methodology for conducting risk assessments. It includes compiling an asset register, identifying any potential threats and vulnerabilities that could pose risks to those assets, and analysing the risks to establish the impact level of the risks.
Whichever risk assessment methodology organisations choose, it is important for them to revisit it in the future to ensure it meets the requirements of the organisation as well as the evolving threat landscape.
How one company is using ISO27001 to assess information risks
Garry Smallman, service delivery manager at Charityshare, one of IT Governance’s clients, explained in a case study how the Standard has helped his company manage risks.
“I particularly liked the changes with regard to risk assessment. For example, you need to identify risk owners for each risk. We have always made our decisions at Charityshare on the basis of proper risk assessments.
“In ISO 27001:2013 the risk owners must accept the residual risks and approve the Risk treatment plan – which fits the way we work. Treatment options in the 2013 revision are not limited only to applying controls, accepting risks, avoiding risks, and transferring risks as they were in the 2005 revision – basically, you are free to consider any treatment option appropriate.”
Learn more about ISO27001
The Case for ISO27001 will help you understand the role ISO27001 plays in fighting cyber crime, managing information security risk and improving the overall security posture of your organisation.