Cyber threats are constantly evolving. The most effective way to protect your organisation against cyber attacks is to adopt a risk-based approach to cyber security, where you regularly review your risks and whether your current measures are appropriate.
A risk-based approach means the cyber security measures you implement are based on your organisation’s unique risk profile, so you will not waste time, effort or expense addressing unlikely or irrelevant threats.
IT Governance can help you develop a cyber threat management strategy, enabling you to take a systematic approach to managing your security challenges.
Find out more about cyber security and see our full range of cyber security products and services
Speak to a cyber security expert
If you would like to know more about how cyber risk management will help your compliance projects, contact our experts on +44 (0)1474 556 685 or request a call back using the form below. Our team is ready and waiting with practical advice.
The cyber risk management process
Although specific methodologies vary, a risk management programme typically follows these steps:
- Identify the risks that might compromise your cyber security. This usually involves identifying cyber security vulnerabilities in your system and the threats that might exploit them.
- Analyse the severity of each risk by assessing how likely it is to occur, and how significant the impact might be if it does.
- Evaluate how each risk fits within your risk appetite (your predetermined level of acceptable risk).
- Prioritise the risks.
- Decide how to respond to each risk. There are generally four options:
- Treat – modify the likelihood and/or impact of the risk, typically by implementing security controls.
- Tolerate – make an active decision to retain the risk (e.g. because it falls within the established risk acceptance criteria).
- Terminate – avoid the risk entirely by ending or completely changing the activity causing the risk.
- Transfer – share the risk with another party, usually by outsourcing or taking out insurance.
- Since cyber risk management is a continual process, monitor your risks to make sure they are still acceptable, review your controls to make sure they are still fit for purpose, and make changes as required. Remember that your risks are continually changing as the cyber threat landscape evolves, and your systems and activities change.
The importance of risk management
Risk management is a key requirement of many information security standards and frameworks, as well as laws such as the GDPR (General Data Protection Regulation) and NIS Regulations (Network and Information Systems Regulations 2018).
Standards and frameworks that mandate a cyber risk management approach
ISO/IEC 27001:2013 – the international standard for information security management. Clause 6.1.2 of ISO 27001 states that an information security risk assessment must:
- Establish and maintain information security risk criteria;
- Ensure that repeated risk assessments produce “consistent, valid and comparable results”;
- “identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”;
- Identify the owners of those risks; and
- Analyse and evaluate information security risks according to the criteria established earlier.
Learn more about ISO 27001 risk assessments
The NCSC’s 10 steps to cyber security
The NCSC’s (National Cyber Security Centre) 10 steps to cyber security - a set of ten practical steps that organisations can take to improve the security of their networks and the information carried on them. Defining and communicating your board’s information risk management regime is central to your organisation’s overall cyber security strategy and the first of the ten steps.
The CIS Controls
CIS (Center for Internet Security) Controls - the CIS Controls, formerly the 20 Critical Controls for Effective Cyber Defense, are a set of 20 actions, also known as CSC (critical security controls), for cyber defence, which provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.
The PCI DSS
The PCI DSS (Payment Card Industry Data Security Standard) - applies to organisations of any size that accept card payments. Protecting digital cardholder data requires adherence to all the PCI DSS data security requirements. There are 12 PCI DSS requirements, which apply to “all system components included in or connected to the cardholder data environment”. Requirements 5 and 6 deal with implementing and maintaining a vulnerability management programme – an essential part of risk management.
IT Governance’s cyber risk management service
Our risk assessment consultancy service includes guidance and advice on developing suitable methods for managing risks in line with the international standard for information security risk management, ISO 27005.
Our service typically includes:
- Establishing internal and external risk context, scope and boundaries, as well as the choice of risk management framework;
- Identifying and assessing risks in terms of their consequences to the business and the likelihood of their occurrence;
- Establishing communication lines with stakeholders to inform them of the likelihood and consequences of identified risks and risk statuses;
- Establishing priorities for risk treatment and acceptance;
- Establishing priorities to reduce the chance of risks occurring;
- Establishing risk monitoring and risk review processes; and
- Educating stakeholders and staff about the risks to the organisation and the actions being taken to mitigate those risks.
Who is the cyber risk management service designed for?
Our risk management consultancy can be delivered to organisations of any size – small, medium and large enterprises – and where IT infrastructure includes a combination of complex legacy systems and newer operating systems whose interoperability is not always seamless.
It is particularly useful to public-sector organisations such as those that engage with the NHS and HMRC, and to local councils and other government agencies that provide services across different channels to diverse groups of users – the interchange of personal data across different platforms requires greater vigilance and methods of protection.
Why choose IT Governance?
IT Governance specialises in providing best-practice action plans, consultancy services, risk assessment, risk management and compliance solutions with a special focus on cyber security, cyber resilience, data protection and business continuity.
In an increasingly punitive and privacy-focused business environment, we are committed to helping organisations protect themselves and their customers from the perpetually evolving range of cyber threats. Our deep industry expertise and pragmatic approach help our clients improve their defences and make key strategic decisions that benefit the entire business.
IT Governance is recognised under the following frameworks:
- UK government CCS (Crown Commercial Service)-approved supplier of G-Cloud services.
- CREST certified as ethical security testers.
- Certified to:
- Cyber Essentials Plus, the UK government-backed cyber security certification scheme.
- ISO 27001, the world’s most recognised information security standard.
- ISO 9001, the international standard for quality management.
- BS 10012, the British standard for personal information management.
Learn more about our credentials