In the second part of this two-part series covering interviews with information security managers about their risk assessment experiences, we asked them what advice they would give to those just starting out with an information security risk assessment.
Here are the answers and practical insights from ten managers who have been through the process and have the scars to prove it:
- “Identify the key stakeholders to speak to. Get the right people in the room so that you can identify what is needed (from the risk assessment). Make sure you ask the right questions beforehand to get the most out of what is needed.”
- “Get the ground work done and prepare. The more information you gather prior to going live with the system, the better, because it saves time. Get the scope down: what needs to be considered and how much you need to put in. Understand ISO 27001. Think carefully about information and asset classifications. Be realistic how long it can take.”
- “Get a consultant in that has done it before to help you initially, and go on a course.”
- “Keep it as simple as possible. Spend more time seeing what is out there. Research.”
- “It is important to get buy-in from risk owners about the risk assessment. It is also helpful if you can find a tool to help you with this process.”
- “Approach the task with an asset inventory so the risk assessment can evolve from that. Have assets classified and risk owners identified. Do research and plan beforehand.”
- “Try to delegate parts of the risk assessment to the relevant areas rather than trying to do it all yourself. Get someone experienced to guide you through the process initially if you are starting from scratch”.
- “It is important that the project is isolated from other activities so that you can spend the required amount of time to complete the exercise”.
- “Understand where key information assets reside. Break the overall environment into components of assets.”
- “Plan well in advance on how to tackle the risk assessment. Prepare how to plan and implement the controls that are needed.”
vsRisk™ was developed by the world’s leading ISO 27001 experts and is the culmination of over ten years’ experience in delivering advice, training, consultancy and guidance to thousands of companies across all industries.
vsRisk provides a simple, smart and cost-effective alternative to information security risk assessments. It simplifies and speeds up the risk assessment process, cuts costs and ensures accurate, repeatable risk assessments, year after year. Find out what vsRisk can do for you now.
View the vsRisk infographic to see a detailed summary of the features of vsRisk
* Respondents’ names have been kept anonymous owing to client confidentiality requests.