Information Security Principle 6

Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk 

The next principle for effective information security is to conduct risk assessments and then determine controls to reach an acceptable level of risk.  One of the best processes for managing risk comes from the ISO 31000:2009 standard (ISO 31000:2009 Risk management— Principles and Guidelines). 

This process involves four steps:

1. Determining the context of your business

   This involves determining the objectives of your business, the scope of what you want to manage, identifying which interested parties are involved, and deciding on which risk evaluation process you will use.  This list is a very useful way to work out the context, but it’s not exhaustive - to be rigorous I suggest that you purchase ISO 31000 to get a comprehensive understanding.

2. Conduct a risk assessment

   Risk assessment can be split into three sub-processes
   1. Risk identification
   2. Risk analysis
   3. Risk Evaluation
   
   The aim of risk identification is to “generate a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives.” The risk analysis sub-process is where you develop a deep understanding of the risk.  With deep understanding you can determine if the risks need to be treated.

3. Treating the risks with some controls

   This is where you determine the “level of risk”. Then you compare the level of risk with the risk criteria established when the context was considered (see step 1).  If this level of risk is unacceptable then you need to work out some treatments and controls that if implemented, will reduce the level of risk to acceptable levels.

4. Communicate those controls to your staff and review them frequently.

Learn More:

1. Information Security - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
2. Information Security - Principle 2 - Awareness of the need for information security
3. Information Security - Principle 3 - Assignment of Responsibility for Information Security
4. Information Security - Principle 4 - Incorporating management commitment and the interests of stakeholders
5. Information Security - Principle 5 - Enhancing Societal Values
6. Information Security - Principle 7 - Security incorporated as an essential element of information networks and systems
7. Information Security - Principle 8 - Active prevention and detection of information security incidents
8. Information Security - Principle 9 - Ensuring a comprehensive approach to information security management
9. Information Security - Principle 10 - Continual reassessment of information security and making of modifications as appropriate