Why risk based approach is a better defence?


What is the best approach to address your organisation's information security issues?

There are common as well as your business specific Information security threats and mitigation techniques to handle them. 

For instance, you may already may have  staff  training, anti-malware and other technologies in place.

However, you may not know how effective is your defences until meet a real threat.

This requires every organisation to build their defence according to the potential information security risks they might face.

So, what actually is a risk-based defence?

Your organization does not have an unlimited budget for information security. This requires you to best use available resources carefully to build your defence.

The best approach is to conduct a risk assessment, identify risks and  prioritize your risks. Then you can implement appropriate controls to mitigate your risks.

ISO 27001 ISMS standard provides you a framework to follow a  risk-based approach to meet your specific needs efficiently.

After you have initiated ISMS project based on ISO 27001 framework, identified and documented your information security objectives, policies, a risk assesment should be  carried out with following processes.

  • Identifying information assets
  • Identifying their risks
  • Analysing risks
  • Evaluating risks
  • Selecting risk management options (controls) 

Then create a risk treatment plan. it lists out assets, risks, risk owners, security controls, justification, time target, and status. 

Finally implementing your risk treatment plan, and make organisation wide awareness and training. 

For your ISMS to be effective, it must meet your information security objectives with implemented controls.

The monitoring of your security controls is very important with internal audits to review the security performance to understand what’s working and what could be improved.

Once your ISMS is in place, your organisation can seek ISO 27001 certification from an accredited certification body.

Niranjan Meegammana 


Comments

Popular posts from this blog

The 7 Layers of Cyber Security : Attacks on OSI model

Best Practices for secure Software Development

ISO 27001 ISMS in a Nutshell