Information security managers starting out with an ISO 27001 implementation often approach one of the most important – but certainly also one of the most challenging –aspects, the risk assessment, with a little anxiety. This is because the risk assessment process is a complex one, requiring a lot of planning, preparation, stakeholder involvement and knowledge of risk assessments to get “accurate, repeatable, consistent and comparable results” – a key requirement of ISO 27001.
Larger companies with many branches or divisions find it particularly challenging to maintain control of the risk assessment, due to the numerous facets to consider, such as assets (located in various places), people, processes, risks, threats and vulnerabilities. Keeping track of it all, providing evidence of how the risks have been treated, and producing the relevant audit reports can all be a bit overwhelming, especially for those who are using spreadsheets.
Alan Calder, executive chairman and CEO of Vigilant Software’s holding company, IT Governance Ltd, explains why vsRisk is the better choice:
Spreadsheets have too much room for error
“We created vsRisk because we understood that it was never going to be possible for anyone to create and maintain an in-house risk assessment tool based on a spreadsheet that would deliver consistent, valid and reproducible results – spreadsheets have too much room for error, at a cellular level. The idea of creating something in a spreadsheet presupposes that the organisation employs someone who knows enough about risk assessments to create something that does a risk assessment in a way that complies with ISO27001.”
Calder continues, “Due to staff turnover, expertise comes and goes. We wanted vsRisk to be a constant – ensuring that, irrespective of the current state of staffing, clients would always have a viable risk assessment methodology capable of supporting their ISMS.”
What our customers say
We also asked a few of our customers who are already using vsRisk why they prefer using the software over spreadsheets. This is what they said:
Spreadsheets are too large and cumbersome
“The main problem of using Excel spreadsheets is that they were becoming too large and cumbersome. As everything was all on one sheet, it is hard to find specific info and drill down the data as need to use multiple tabs etc.”
Spreadsheets are hard for tracking data
“It’s hard to track data for information assets with Excel so vsRisk is needed to store data. A spreadsheet does not cut it for tracking, so vsRisk is the answer, as all data is integrated in one place.”
With spreadsheets it became difficult to use and see risks/assets
“Excel became difficult to use and see risks/ assets as the spreadsheet kept growing with numerous columns etc. therefore, data hard to read and identify risks”.
Sharing and keeping spreadsheets up to date is a problem
“Trying to keep the spreadsheet up to date and share with appropriate people to make sure the risk assessment is completed correctly is a problem with Excel. Excel is hard to use for risk assessments”.
Excel is not user-friendly for risk assessments
“The risk assessment is not meaningful if it is on Excel. There are bugs and it freezes. Excel is not user-friendly for risk assessments”.
Spreadsheets are time-consuming
“Using Excel would have been time consuming: setting up spreadsheets according to how the departments wanted it with the correct formulas etc. Also, different departments may have done things differently before, making it hard to track as not all data would have been on one common sheet”.
Calder says: “The risk assessment is at the heart of information security risk management – only an automated tool can deliver the level of reliability and consistency that today’s organisation needs.”
vsRisk Standalone is available at only £595.00, offering a complete risk assessment solution for information security managers.