They come in twos. Risk assessment and risk treatment constitute core elements of risk management, a process that allows managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that supports their organisation’s missions. Without risk assessment (RA) risk treatment (RT) cannot be carried out and vice versa, RT cannot be done without RA.
Risk assessment and risk treatment are inseparable; they are the Romeo and Juliet of 21st century.
The power of the Big Two
Risk assessment enables you to identify threats and assess the likelihood of those threats, exploiting some organisational vulnerability as well as the potential impact of such event occurring. Once the risks are identified and assessed, the assessment process stops.
Some of the benefits include:
• Identification of assets (i.e. anything that has a value to the organisation) within the scope of the ISMS, and the owners of those assets;
• Identification of the business, legal and contractual requirements that are relevant to the identified assets;
• Validation of the identified assets, taking into account the confidentiality, integrity and availability (CIA);
• Identification of the threats to the identified assets;
• Identification of the vulnerabilities that might be exploited by those threats;
• Analysis of the impacts that losses of confidentiality, integrity and availability may have on each of the assets in each of their business, legal and contractual contexts;
• Assessment of the ‘realistic likelihood’ of these impacts occurring;
• Estimation of the risks to the assets, using these factors.
Risk treatment is the process of action upon identified risks. Required by ISO 27001 Standard, a risk treatment plan identifies the appropriate management action, responsibilities and priorities for managing information security risks.
At the heart of this plan is a detailed schedule, which shows for each identified asset:
• Each threat-vulnerability relationship and the associated risk level (from the risk assessment tool);
• The gap between the assessed risk and the acceptable level of risk;
• How the organisation has decided to treat the risk (accept, reject, control, transfer);
• The control gap analysis (what controls are already in place and their nature, and what additional controls are considered necessary , and their nature);
• The resources required for the task;
• The timeframe for implementing the controls.
The risk treatment plan links risk assessment to the identification and design of appropriate controls, such that the board-defined approach to risk has been implemented, tested and improved.
For any organisation this two-phase process is crucial – it prepares, assesses and maintains the security of each information asset. Thanks to the RA and RT organisations can ensure smooth management of potential risks and enables effective trade, which constitutes a core element of a business today.