Most implementation plans and activities for an ISO 27001 information security management system (ISMS) are based upon a risk assessment. Although experts agree that a risk assessment is at the core of an ISMS, those who have completed one will agree that simply starting the process is not easy.
Getting to grips with all the different requirements, agreeing and finalising the risk assessment criteria, getting the different risk and asset owners involved, identifying the different assets and their associated risks… all of these elements are crucial, but require time and energy. And that’s not even half the job.
Recently, we asked a few information security managers what their biggest challenges were when tackling a risk assessment.
This is what they said:
- “Valuing assets was a big pain point for us. You need to understand what is important to the business and base your decisions on that.”
- “Understanding the level of detail required on a risk assessment was quite a challenge.”
- “The time it takes to implement the risk assessment. The need to have everything in one place. The need to have risks and threats in one place to make it easier to manage.”
- “Our biggest struggle was to ensure that all vulnerabilities were addressed.”
- “The fact that we had never done a risk assessment before meant that we didn’t know exactly what it entailed. Our lack of knowledge was a serious concern for us.”
- “Time constraints. Finding the time to complete the risk assessment.”
- “Understanding the different risks within the different technologies, for instance virtualisation vs physical security.
- “For one person, there are a lot of new topics to get one’s head around. I had to research different resources for information, and find out how other people had done it in the past. We were looking to create our own policies and materials with spreadsheets but soon realised it was not feasible. The time constraints of getting into the terminology was also something we had difficulty with.”
- “The size of the company makes it difficult, as we haves 17 branches across Scotland. Therefore, there are lots of departments to deal with. Time constraints was another big issue for us.”
By using vsRisk, the respondents were able to benefit from the software’s structured approach, enabling a streamlined and faster risk assessment.
Here are some comments on how vsRisk has helped them in their risk assessments:
- “vsRisk has made things easier for us, and streamlined the risk assessment process, rather than relying on Excel sheets. vsRisk meant that we didn’t have to start from scratch, by using the ISO 27001 toolkit and vsRisk combination package.”
- “It is easy to administer as everything is in one place and no need to use different tabs, like with Excel. The ease of use means not having the problem of scrolling through masses of data on a spreadsheet.”
- “To do it from scratch would have taken at least three or four more days”.
- “We saved a large amount of time as all of the information was in drop-down lists. We are able to put in place controls as well from a list, which was helpful. It has sped up the task of the risk assessment.”
- “I would say that it saved at least a week in time for the initial risk assessment. By saving on time, it would have saved on money also.”
- “The top features of vsRisk was the ability to cross-reference with other standards, the reference material and the structured approach offered by the tool.”
- “We benefited greatly from the database of vulnerabilities, threats and risk scenarios built into the software.”
- “I am happy with the help vsRisk has given me to progress the ISMS implementation process. The integration with the comprehensive documentation toolkit is an excellent feature. The documentation toolkit alone will save weeks/months of work!”
vsRisk™ provides a simple, smart and cost-effective alternative to information security risk assessments. It simplifies and speeds up the risk assessment process, cuts costs and ensures accurate, repeatable risk assessments, year after year. Find out what vsRisk can do for you now.
Watch vsRisk videos here.
Respondents’ names have been kept anonymous owing to client confidentiality requests.