Information security risk assessment

Information security risk assessment and management
Every change, even positive ones, involve the modification of the risk environment - i.e. new threats - and the need to register new values to be protected and change the way existing ones are managed, and therefore the risk map must be adapted to the new business requirements. Such positive changes giving rise to new risks may include the acquisition, adaptation, development or introduction of a new application system, the revision of an existing system, or transition to a new software (operating system, database management, etc.) or hardware platform. Even those infrastructural changes that were initially designed to achieve better performance or improved cost effectiveness may lead to unexpected consequences. Furthermore, the introduction of a new network communication system may also entail certain disadvantages if the information strategy objectives and the consequences related to information security are not harmonized and consistently matched. Moreover, if a system remains unchanged, because it has proved to be secure over the years, it does not necessarily mean the system will further function properly as new threats or requirements may appear. We can develop a new risk assessment methodology, taking into consideration the strategic and business requirements set forth by your senior management, or review your current methodology in line with the new environment, or make a risk assessment. We develop the methodology and make the risk assessment relying on our many years of experience, our ever-expanding database of known threats, and a proven methodology of analyzing application systems. Although we can safely say that risk assessment techniques are unique to almost each organization, upon request, we can ensure the compatibility of the methodology that we design with the ISO27001 requirements or other (international) recommendations. For organizations with an ISO27001 certificate, it is essential to carry out information security risk assessments on a regular basis, in accordance with the standard. In an organization with an ISO27001 certificate, continuous risk management activities ensure that the expected information security level and the results achieved in the field of information security are maintained. Methodology:
  • context establishment,
  • understanding internal needs,
  • designing, analyzing or reviewing a risk management methodology and policy,
  • questionnaire-based (personal) survey,
  • preparing or updating an asset map,
  • information security risk assessment,
  • identifying risks to be managed,
  • cost estimation,
  • preparing a risk management action plan.