For many if not most organisations information security risk management is a new and relatively immature activity that they are still discovering and learning more about. This can mean that the results of the activity can be imperfect. As we learn we can improve the process to better fit the requirements of the organisation but in the meantime we need the ability to deal with flawed results. Some might even go a step further and propose that most risk management methods are inherently flawed and don’t go far enough to investigate and measure the root causes of risks.
If we are conscious that this may happen then we can anticipate and react. Being able to quickly adjust the process to get results that work for your organisation is especially important in information security where the risks, threads and vulnerabilities are rapidly changing and emerging. It’s not helpful if the only way to amend the risk management process is though a periodic review of it’s effectiveness by top management (ISO/IEC 27001:2013 9.3e).
ISO 27005 and ISO 31000 set out some ideas for how an organisation can improve upon this. The entire risk management process runs in parallel to a process of monitoring and review, and checkpoints provide quick feedback and sanity checks after each stage of the process. If the results aren’t working for your organisation then these provide the opportunity to revisit your risk context, attitude and management process and correct any problems. This is in contrast to the periodic review where you have already invested a large amount of time and effort into any mistakes.
Some checkpoints for review:
- Risk Identification – do you think you’ve identified and captured enough of the spectrum of risk to adequately manage the information security risk to your organisation? It can be useful to double check and compare the identified risks against the context and against each other. Do any identified vulnerabilities and threats extend to other assets? Does a particular scenario also apply in other areas?
- Risk Evaluation – are the values you are measuring actually providing a useful insight? Are you making full use of the measures defined in your risk management process? If all your risks are equally likely, is that a true and useful output or does the measure need reviewing?
- Risk Assessment – do the resulting measures of risk allow you to differentiate between the risks in a way that helps you manage and prioritise them? It’s possible that all the risks you face are extremely high, but it’s also possible that your risk attitude was not what you thought it was. It’s valuable to revisit the context and risk attitude again.
- Risk Treatment – does your proposed risk treatment plan actually help your organisation achieve it’s objectives? Would implementing the resulting controls be achievable, affordable and fit with your organisational culture? If not, what part of the process lead you to incorrect results?