Aligning security incidents and risk assessments
28th May 2020
The international standard for information security, ISO27001, requires an effective approach to the identification, assessment and management of information and cyber risks. Whether your organisation uses the guidance from ISO27001 or some other framework, it remains an important consideration that risk should be so much more than a theoretical exercise. Put simply, every time you report a security incident (lost data, weak password, compromised asset etc) that is a strong suggestion of one of three shortcomings:
- (a) something that was assessed as acceptable within your risk assessment clearly should have been unacceptable,
- (b) the risk assessment has not assessed for the vulnerability or threat that caused the security incident,
- or (c) in the worst case, there is no risk assessment in place at all.
Risk assessments have historically been regarded as cumbersome, bureaucratic and not a place that most would want to spend their time. InfoSaaS risk assessment workflows are designed to be agile, easy to access, and simplicity to review and adjust as business needs change. We’ve also included integration with our modules which address security incidents and supplier management, providing transparency of challenges across traditionally siloed activities.
Our customers benefit from the mindset that risk assessments are not in place solely to keep an ISO27001 certificate hanging on the wall. Done well, such assessments are the backbone of business resilience, compliance with legislation and regulations, underpin contractual adherence, and provide invaluable assurance to your customers, stakeholders and colleagues that you can be trusted to keep valuable information safe.