Risk management is a common phrase in modern business. However, without clear methods for implementing it and connecting it to the everyday work, there is a danger that risk management will remain as a detached, seemingly useless entity for the business.
Information security risk management is one area of risk management that is constantly increasing in importance. Especially with highly digital organisations, it should be at the forefront of risk management.
The idea of this article is to provide a clear operating model for managing information security risks, which extends from identifying the risks to closing them, involving different people in different roles, and monitoring the measures decided in the treatment of risks.
We are viewing the matter mainly from the perspective of the good practices of the ISO 27001 information security standard.
Requirements for information security risk management
Generally, every information security standard or related legislation highlights risk management. ISO 27001 presents its own requirements but similar items are shown in e.g. NIST CSF.
ISO 27001 lists clear requirements for information security risk management:
- 6.1.1: There must be a documented procedure according to which information security risks are identified, evaluated and treated
- 6.1.3c: All controls listed in the ISO 27002 will be taken into account in the risk treatment phase
- 6.1.3d: Statement of Applicability (SoA) is created to summarize the implementation of security controls
The first requirement guides the organisation to implement risk management according to a set of common ground rules. It is already a significant risk if everyone evaluates risks in their own way.
The second item requires the organisation to comprehensively review the controls listed in the ISO 27002. The standard therefore offers more concrete best practices for reducing the likelihood or impact of risks.
The third item requires the organisation to summarize their use of controls clearly: Which of the controls listed in ISO 27002 have we implemented and on what grounds have we left some unimplemented? Through the Statement of Applicability it is possible to get an overall view, even though the actual risk assessment process is mostly implemented from the point of view of an individual risk.
Benefits of a good risk management process
A well-implemented information security risk management process:
- Enhances information security work when the core things are first done effectively and then subsequent progress is prioritized with the help of risk management.
- Directs your attention effectively to the unique aspects of the organisation's own operations in the context of information security work.
- Can easily demonstrate its effectiveness when risk treatment leads to clear actions with assigned responsibilities, timelines and ongoing monitoring of status and progress.
However, it is important to understand that diving straight into risk management may not be advisable if the fundamentals of cyber security are not in place within the organisation. It becomes challenging to identify and evaluate risks when the organisation lacks systematic practices to describe its data processing environment, document assets requiring protection through security measures, and comprehend the existing security measures in place. This is why Cyberday aims to provide established frameworks for all these areas and recommends progressing to risk management after addressing the foundational aspects.
Stages of the risk management process in Cyberday
Implementation of risk management in Cyberday is presented step-by-step below.
1. Identifying risks
New risks can be identified in Cyberday in the following ways:
Automated cybersecurity risk identification by activating information security tasks.
Cyberday includes background information about relevant risks for each task. When a task is activated in Cyberday, the associated risks are automatically added to the risk register.
Risk identification through incident or change handling. The organisation's processes for handling information security incidents or significant security-impacting changes include risk analysis. The aim is to identify the risks associated with the specific event which then proceed to the risk evaluation phase. These risks can be entirely new or require reevaluation through the occurrence of the event.
Identifying risks associated with critical assets. If desired, risks can be identified whenever information assets (such as an information system, data repository, or partner) are classified as "Critical" within the management system. This implementation can be under the control of the asset owner. All identified risks are linked to the associated asset through a risk documentation card.
Workshops using example risks from Cyberday. Cyberday includes a comprehensive list of example information security risks. This list is used to identify overlooked threats and identify new risks. We recommend conducting such workshops when necessary, for example, if other methods described here have not been utilized in the past 6 months.
2. Pre-processing risks
Once a risk has been identified, the first step is to select a risk owner. In Cyberday, the default automatic selection for new risks is the owner of the Risk Management and Leadership theme. This person should then re-assign the risk to the owner of the corresponding asset if the risk is clearly related to that asset, or to the owner of another security theme if the risk is clearly related to that theme. Delegation is done by assigning the appropriate user as the risk owner on the documentation card.
The intital actions of a risk owner
- Identifying related assets. This is one method that connects risk evaluation and treatment to other parts of the ISMS. Risks can be associated with other assets (such as a data system or a partner) in the "Connected assets on management system" field on the documentation card. If the risk is clearly related to other resources that do not have their own documentation card in the management system, this is described in the "Other associated rescources" field.
- Identifying the current tasks that manage the risk. The idea of this point is to understand how much the organization is already doing to manage this risk. Taking these into account is important during the risk evaluation phase. It is critical that the risk evaluation takes place in the same system where cybersecurity measures are monitored.
3. Risk evaluation
In the risk evaluation phase, a numerical value is assigned to the risk based on its potential impact and likelihood. The organisation can choose to use either a narrower (1-3) or broader (1-5) assessment scale based on their own preferences.
Cyberday aims to assist in risk evaluation by providing quick answers when a high severity or likelihood is not chosen for a risk. The risk may have reduced severity due to the nature of the organisation's operations or reduced likelihood due to the implementation of effective risk management practices.
Based on the evaluation, the risk level is automatically calculated for each risk. The organisation can define its acceptable risk level and any risks exceeding this level should proceed to the treatment phase, where various measures are implemented to reduce the risk level.
4. Risk treatment
The risk level determined in the evaluation indicates whether risk management should be continued.
If the risk level is within an acceptable range or below it, the risk can be accepted at this stage.
If necessary, risk management continues to the treatment phase, where:
- The appropriate risk treatment option is selected with the help of guidelines.
- More specific measures are determined to reduce the risk level.
The most common choice is to reduce the risk by implementing additional tasks, which improves the organisation's own cybersecurity practices. In this stage, it is critical to list the decided tasks in the same system where risk management is done. This ensures that risk management leads to actual results, which are automatically included in the same monitoring process.
Summary of the decided treatment on organizational level is called the risk treatment plan. The owner of each individual risk should accept the created treatment plan for the corresponding risk.
5. Risk monitoring and closure
When the planned risk treatment has been implemented, meaning that the assigned owners have confirmed that the tasks are actually completed, the risk can be closed. The risk management process thus ends with a clear result.
A risk may be re-evaluated e.g. a security incident occurs or a significant change in the organisation's operations takes place that could increase the impact or likelihood of the risk.
Tips for implementing risk management in Cyberday
Here are a few highlights that can help in implementing risk management in your organisation.
- Check out the report templates regarding risk management in Cyberday. Especially Risk management procedure and result preview works as useful instructional material for all those involved in managing information security risks.
- It is possible to create a review cycle for the cyber security risks -list. This allows Cyberday Teams app to remind the risk owners to review the cyber e.g. every 6 months. This helps to identify risks that have changed and need to be re-evaluated.
- Create custom guidelines for risk owners. In Cyberday it is possible to target guidelines to specific units. One of these units is the unit of risk owners. You can add important guidelines to the Guidebook and by using Cyberday ensure that risk owners read them regularly.
Would you like to hear more about the topic?
If you would like to learn more about managing cyber security risks, join our upcoming webinars or pick a suitable time for a Teams meeting and we can continue the discussion in a more personalised manner.