Perform a Risk Analyses

Your risk analysis can be very simple or can be very detailed. Everything depends on the size of your organization, the complexity of the projects and the sensitivity of the data that you handle. However, do not underestimate the work involved, because even if a project appears simple, the associated risks could be significant. There is no correlation between the size of a project and its associated risks. In order to check the accuracy and comprehensiveness of your risk analysis, it has to be verified by different people in your organization.

The result of your risk analysis will influence, amongst other things, your security plan. To arrive at this plan, you must prioritize security measures needed (taking into account your top business priorities) that need to be established in order to have an implementation plan that can be approved by management.

An information security risk assessment is the process of identifying and  prioritizing security problems. The risk assessment will often be asset based, whereby risks are assessed relative to your information assets.

Before we can perform a Risk Assessment, we need to choose a risk assessment methodology. Choosing the correct methodology for your organisation is essential in order to define the rules by which you will perform the risk assessment. The methodology needs to address four issues: baseline security criteria, risk scale, risk appetite, and a scenario-based or asset-based risk assessment.

For each asset, that we have previously identified, and have assessed vulnerability and threats, we assign impact and likelihood values of the risk occurring.

The outcome of the risk assessment, will be the basis for our Security Plan, and will help us prioritize the security measures we want to implement