This website uses cookies. View our cookie policy
Close
United Kingdom
Select regional store:

Cyber Security Risk Assessments

 

Why carry out a cyber security risk assessment?

Risk assessment – the process of identifying, analysing and evaluating risk – is the only way to ensure that the cyber security controls you choose are appropriate to the risks your organisation faces.

Without a risk assessment to inform your cyber security choices, you could waste time, effort and resources – there is, after all, little point implementing measures to defend against events that are unlikely to occur or won’t have much material impact on your organisation.

It is also possible that you will underestimate or overlook risks that could cause significant damage to your organisation. As the UK government’s Cyber security breaches survey 2017 noted, data breaches are “common even among businesses who do not consider cyber security to be a priority, or who may not think they are exposed to risk.”

 

What does a cyber security risk assessment include?

A cyber security risk assessment identifies the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data and intellectual property), and then identifies the various risks that could affect those assets.

A risk estimation and evaluation is usually performed, followed by the selection of controls to treat the identified risks. It is important to continually monitor and review the risk environment to detect any changes in the context of the organisation, and to maintain an overview of the complete risk management process.

 

ISO 27001 and cyber risks

The international standard ISO/IEC 27001:2013 (ISO 27001) provides the specifications of a best-practice ISMS (information security management system) – a risk-based approach to corporate information security risk management that addresses people, processes and technology.

Clause 6.1.2 of the Standard sets out the requirements of the information security risk assessment process. Organisations must:

  • Establish and maintain certain information security risk criteria.
  • Ensure that repeated risk assessments “produce consistent, valid and comparable results”.
  • Identify “risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”, and identify the owners of those risks.
  • Analyse and evaluate information security risks, according to the criteria established earlier.

It is important that organisations “retain documented information about the information security risk assessment process” so that they can demonstrate that they comply with these requirements.

They will also need to follow a number of steps – and create relevant documentation – as part of the information security risk treatment process.

 

The UK government’s Cyber Essentials scheme

Even if you have implemented an ISO 27001-compliant ISMS, you may want to check if your cyber security hygiene is up to standard with the UK government’s guidelines. The Cyber Essentials scheme provides a set of five controls that organisations can implement to achieve a basic level of cyber security.

Click here for more information about Cyber Essentials certification >>

 

IT Governance risk assessment services

Conducting a risk assessment to determine the likelihood and effect of cyber security incidents is a complex process that requires considerable planning, specialist knowledge and stakeholder buy-in to appropriately cover all people-, process- and technology-based risks. Without expert guidance, this can only be worked out through trial and error.

IT Governance provides a range of risk assessment and cyber security consultancy services to suit all needs:

 

  • Cyber Health Check

    IT Governance’s fixed-price, three-phase Cyber Health Check combines consultancy and audit, remote vulnerability assessments and an online staff survey to assess your cyber risk exposure and identify a practical route to minimise your risks. Our approach will identify your actual cyber risks, audit the effectiveness of your responses to those risks, analyse your real risk exposure and then create a prioritised action plan for managing those risks in line with your business objectives.

    Click here for more information about our Cyber Health Check >>

     

  • Risk assessment software

    The risk assessment software tool vsRisk™ has been proven to save huge amounts of time, effort and expense when tackling complex risk assessments, Fully compliant with ISO 27001, vsRisk streamlines the risk assessment process to deliver consistent and repeatable cyber security risk assessments every time.

    The latest version of vsRisk includes three new functionalities: custom acceptance criteria, a risk assessment wizard and control set synchronisation. You can also now export the asset database in order to populate an asset management system or register.

    Click here for more information about vsRisk >>

     

Why use IT Governance?

IT Governance has a wealth of experience in the cyber security and risk management domain. As part of our information security work with hundreds of private- and public-sector organisations in all industries, we have been delivering comprehensive risk assessments for more than ten years. All our consultants are qualified and experienced practitioners.

Call us on +44 (0)845 070 1750 today or email servicecentre@itgovernance.co.uk for a no-obligation quote or to arrange a risk assessment.