Information risk management and information assurance
As mentioned previously, information risk management and information assurance are often implemented using a standard, with the most common of these being the ISO 27005 standard, which has the following key processes.
The first process is to establish the context for any risk management processes. In establishing the context we are determining such things as who is responsible for the process, what is the aim of the process, what levels of risk we are willing to accept and other similar things.
The risk assessment process has three sub-processes – identifying risk where we identify the likely security risks; risk analysis where we consider the impacts of the risk and risk evaluation where we assess the risk impacts in light of the levels of acceptable risk as determined in the context.
After we have evaluated the risk we have to undertake some form of risk treatment. This can take the form of:
- Risk modification: We introduce, remove or modify risk controls* to bring the risk down to acceptable levels
* A control is something that we can do to affect the security properties of a particular object. For instance, we could add a rule into the firewall or introduce stronger password requirements
- Risk retention: If the risk is already below acceptable levels, there is no need to do anything else
- Risk avoidance: Don’t do the thing that causes the risk
- Risk sharing: Employ a third-party to help deal with the risk, for example employ another organisation to filter email
Information assurance and information security compliance
Information assurance and information security compliance often requires more active auditing of the IT system. From a technical perspective, this can include such things as conducting pen tests on our own systems. These are often the easiest to do but may not give much in the way of information. In order to obtain the full picture, it’s necessary to review, or have reviewed, our compliance and assurance policies and processes to ensure that they are fit for purpose and fulfilling organisational needs. Ideally, this should be part of an ongoing programme of improvement.
BSI (2018) ISO/IEC 27005:2018 Information Technology. Security Techniques. Information Security Risk Management. [online] available from https://bsol.bsigroup.com/Bibliographic/BibliographicInfoData/000000000030372032 [30 July 2019]
© Coventry University. CC BY-NC 4.0