Risk assessment tips for smaller companies

I have seen quite a lot of smaller companies (up to 50 employees) trying to apply risk assessment tools as part of their ISO 27001 implementation project. The result is that it usually takes too much time and money with too little effect.

I have seen quite a lot of smaller companies (up to 50 employees) trying to apply risk assessment tools as part of their ISO 27001 implementation project. The result is that it usually takes too much time and money with too little effect.
First of all, what is actually risk assessment, and what is its purpose? Risk assessment is a process during which an organization should identify information security risks determining their likelihood and impact. Plainly speaking, the organization should recognize all the potential problems with their information, how likely they are to occur and what the consequences might be. The purpose of risk assessment is to find out which controls are needed in order to decrease the risk – selection of controls is called the risk treatment process, and in ISO 27001 they are chosen from Annex A which specifies 133 controls.
Risk assessment is carried out by identifying and evaluating assets, vulnerabilities and threats. An asset is anything that has value to the organization – hardware, software, people, infrastructure, data (in various forms and media), suppliers and partners, etc. A vulnerability is a weakness in an asset, process, control,etc., which could be exploited by a threat; a threat is any cause that can inflict damage on a system or organisation. An example of a vulnerability is the lack of anti-virus software; a related threat is the computer virus.
Knowing all this, if your organization is small, you don’t really need a sophisticated tool to perform the risk assessment. All you need are an Excel spreadsheet, good catalogues of vulnerabilities and threats, and a good risk assessment methodology. The main job is really to evaluate likelihood and impact, and that cannot be done by any tool – it is something your asset owners, with their knowledge of their assets, have to think about.
So, where do you get the catalogues and methodology? If you are using the services of a consultant, he/she should provide those; if not, there are a few free catalogues available on the Internet, you just have to do a search on Google. The methodology is not available for free, but you could use ISO 27005 standard (it describes risk assessment & treatment into detail), or you could use some other websites selling the methodology. All this should take considerably less time and money than buying a risk assessment tool and learning how to use it.
A good methodology should contain a method for identifying assets, threats and vulnerabilities, tables for marking the likelihood and impacts, a method for calculating the risk, and define the acceptable level of risk. Catalogues should contain at least 30 vulnerabilities and 30 threats; some contain even a few hundred of each, but that is probably too much for a small company.
The process is really not complicated – here are the basic steps for assessment & treatment:
1. define and document the methodology (including the catalogues), distribute it to all asset owners in the organization
2. organize interviews with all the asset owners during which they should identify their assets, and related vulnerabilities and threats; in the second step ask them to evaluate the likelihood and impact if particular risks should occur
3. consolidate the data in a single spreadsheet, calculate the risks and indicate which risks are not acceptable
4. for each risk that is not acceptable, choose one or more controls from Annex A of ISO 27001 – calculate what the new level of risk would be after those controls are implemented
To conclude: risk assessment and treatment really are the foundation of information security / ISO 27001, but it does not mean they have to be complicated. You can do it in a simple way, and your common sense is what really counts.

Related Categories

Related Topics

Related Articles

5 Steps to IT Risk Management

A good discussion on planning for the worst and hoping for the best!

A Framework for Risk Management

A good discussion on the need for risk management that also provides a framework to manage it. Good Read!

A Guide to Using COSO for Enterprise Risk Management

This presentation provides an excellent introduction and overview to COSO and provides insight into the use of the integrated framework for enterprise risk management. Excellent read!

An Introduction to Enterprise Risk Management (ERM)

This introduction to enterprise risk management (ERM) covers its definition, key trends, best practices and future direction.

An Overview of Risk Management Frameworks

This presentation provides an overview of key risk management frameworks and the implementation steps in the risk management process.

Best practice in risk management

A function comes of age. Really? Then how do you explain the trillion dollar mess that the US banking sector finds itself in?

COBIT as a Risk Management Framework

Excellent presentation on putting COBIT in context.

Connecting Enterprise Risk Management with Information Risk Management

This presentation makes the connection between Enterprise Risk Management (ERM) with Information Risk Management (IRM).

Implementing Enterprise Risk Management (ERM) Frameworks

This presentation provides a primer on risk management frameworks and advice on implementing an Enterprise Risk Management (ERM) framework.

Implementing the COSO Framework

 This presentation provides an overview of the COSO framework and discusses its use and implementation considerations.

Information Risk Management: Best Practices Guide

What is risk management? What is information risk management? How to implement a risk management policy and processes? These and other questions answered.

Integrated Framework for Enterprise Risk Management (ERM)

This paper presents an executive summary of COSO - an integrated framework for enterprise risk management (ERM).

Integrating Risk Management and Corporate Governance

 This paper argues for an integrated risk management and corporate governance framework and approach

ITIL V3 and Information Security

This paper discusses the role and importance of effective Information Security Management (ISM), how it is supported by an extensive family of global standards and the way these harmonize with ITIL

Lack of IT governance puts business value at risk

Management of Risk: Guidance for Practitioners Primer

 Everything you wanted to know about Management of Risk: Guidance for Practitioners (M_o_R®) in less than one thousand words

Managing Enterprise Risk

 This presentation discusses the imperative of transitioning to "active and predictive enterprise-wide risk management, monitoring & control"

Overview of Risk IT Framework

  Introduction to the Risk IT Framework which "complements and extends COBIT and Val IT to make a more complete IT governance guidance resource."

Performing an Information Security Assessment

This presentation describes the steps in performing an information security assessment - what are the critical security goals and objectives? what are the documentation requirements? how to incorporate regulatory requirements? how to gather data to ...

Proactive Risk Management

A stitch in time...proactively managing risk can make all the difference between success and failure.

Risk Assessment Process

 Risk assessment process with steps and checklist (chart)

Risk Management Best Practice Guide

Risk management is governance's elephant in the room that most people ignore. Enclosed is a best practices guide to risk management.

Risk Management Guide

 Risk Management Guide for Information Technology Systems describes a risk management methodology, framework and process for risk assessment, evaluation and management.

Risk Management with Balanced Scorecard

 This case study highlights incorporating risk management into balanced scorecard enabled strategy.

Risk Management: Moving Beyond SOX Compliance

Simple Ways to Avoid Data Breaches

This presentation provides an overview of data breaches - what is a data breach? - provides a measure of the loss suffered as a result of one, discusses the cause of data breaches, and recommends the most common/easy/obvious way to bridge data breac...

Strategy, Risk, and Governance of IT Investments: Board, CEO and CIO Perspectives

 This survey explores the issue of return on IT investments from a Board and CEO perspective.

Technology Stage Gate: A process to Manage High Risk Technology Projects

The evolving role of IT managers and CIOs

The 2010 IBM Global IT Risk Study revealed investing in IT risk management can provide significant business benefits

The Importance of Risk Management

A very good discussion on the importance of risk management. The content is rudimentary but the discussion fundamental to IT Governance.

Top 10 Risks for Global Businesses

 This report discusses leading risk management practices and how they can positively affect business value creation even if the feared event does not happen.

Posted on 07/07/2010 by

Risk assessment tips for smaller companies author dkosutic



For ThoughtLeader

CIO Index

Our Focus is On Your Agenda

CIO Index is the world's largest professional network for CIOs - of the CIO, for the CIO, by the CIO. 

Over 75,000 CIOs and other IT Executives use CIO Index to Learn, Network and Share.


Cioindex, Inc.

  • (+1) 800-309-3550
  • Mon - Fri 9:00am - 5:00 pm
  • 375 North Stephanie St., Ste 1411, Henderson, NV 89014