Risk Assessment Methodology in ISMS
ISMS is one of the most essential aspects of an organization. Now that the predominant form of communication is done electronically and files are all stored online, making ensuring that your systems are secure is absolutely vital. Many thieves and hackers are constantly attacking your systems. They are seeking business secrets, financial information, consumer credit card numbers and many other pieces of data. They may just be trying to hijack your systems and hold them for ransom (in untraceable bitcoin). For that reason, all firms should conduct a thorough ISMS risk assessment.
First and foremost, establishing a team that will be involved in the process of the risk assessment is necessary. There are a few key people that must be involved.
CIO – The CIO runs the risk assessment team and outlines the key areas which much be covered.
Developers or IT Staff – These personnel run through the code, logs and history and systems based on the request of the CIO. They create the output for the analysts to comb through.
Compliance or Legal – The legal and compliance staff ensure that the risk assessment accords with all laws and regulations. Additionally, they make sure that the firm is safe from any other legal liability that could come from a civil lawsuit.
CEO – The CEO or President must evaluate the assessment when it is complete and inform of any other areas that may have been overlooked. They also must commit to dedicating the time and resources required to implement the recommendations of the assessment.
Once the team is assembled, the risk assessment can begin. The Chief Information Officer (CIO) is accountable for outlining the key areas of the assessment that are particular to the firm. Traditionally, there are a few areas that all companies must deal with.
Firstly, companies need a robust anti-spam and anti-virus tool installed on every device. The company needs to understand what solutions have been installed and on how many devices. They also need to know if any devices have been corrupted or documents stolen.
Secondly, the company needs an encrypted network with different levels of access. Different personnel in the organization must enter different passwords (that are regularly changed) and verify their authenticity through multiple devices.
There are a number of other miscellaneous security concerns based on the physical location, network and corporate structure which also must be considered.
After the CIO prepares the list of possible risks, they instruct their staff to undergo a thorough check of all systems. The IT staff and developers are responsible for looking up all the information and gathering it together in an organized way.
Once the information is aggregated, analysts can look through the data to find the true state of the company. They will then begin to write the actual risk assessment report based on their findings. Next, the legal or compliance team reads the analyst report. They contribute edits and add additional risks from a compliance stand point.
The draft risk assessment is now complete and ready to go to the CIO. The CIO takes a deep dive and adds their own risks or contributions.
Finally, the CEO reads the report and implements any recommendations. They may need board approval for any major expenditures. However, the CEO is legally responsible for implementing all tasks that will prevent a major breach or loss of private data.
For more information ISMS please contact Sustainable Certification Pty Ltd