Securing Information
Strengthening Business

Managing Information Risk: Why Do a Risk Assessment?

Understanding the risks to your information

The single fundamental requirement of Information Risk Management or compliance is that an organisation should be aware of the risks it faces when managing its information. This does not presume that all information assets are valuable and require protection, only that the organisation is aware of the value and the attendant risks. Once the business is aware of the risks it faces, it can manage them in the most convenient and cost effective manner.

First, identify the risks

The difficult part is to identify the risks the business faces in the first place. This is not a simple matter for the average manager as there are a large number of factors to take into consideration. This is where a formal Risk Assessment is important as it weighs up all of the factors affecting information risks and enables a clear definition of the most important or pressing.

Risk Assessment is not only an information security tool; it is often used in other situations such as insurance underwriting and project management. In fact Risk Assessment, in a much less formal sense, is second nature to all of us when crossing the road and governs much of human nature.

Having identified what the risks are to their information, businesses can then manage those risks in the manner that is most appropriate (to them). This could mean that no additional protection measures are taken, but if the risks are ignored then this is done in the knowledge of the consequences, not in ignorance of them.

What does a Risk Assessment involve?

The popular concept of risk assessment is in effect two distinct processes:

  1. The identification and assessment of the risks ( risk assessment ).
  2. The selection and justification of countermeasures to manage those risks ( risk management ).

It is rare for the two aspects to be separated in normal practice, but they do require the application of quite different skills.

A reasonably accurate description of the two risk assessment and management components, as applied to information risks is that it is a process for:

  • Identifying and evaluating the information security risks associated with a computer system or telecommunications network;
  • Nominating and justifying security countermeasures which are commensurate with the identified risks.

Information Risk Management in a network or system is dependent on a large number of factors working together effectively. For example, if an attacker wanted to infiltrate a network, there are numerous ways in which he may approach the problem. These include packet interception, eavesdropping, hacking, insertion of malware, compromising authorised users, theft of documentation, etc. Securing a system against these threats requires a range of security, communications, physical, personnel, document and procedural security.

The benefits of Risk Assessment and Information Risk Management

Formal Risk Assessment and Information Risk Management techniques will assist an business to identify and evaluate all risks facing a system and to identify and justify a comprehensive range of complimentary security measures to meet those risks.

Article by Colin Dixon, Principal Consultant at Ascentor and leading authority on Corporate Governance and PCI DSS.

Other articles you might like:


For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time

Cyber security myths home workers fall for

From King Arthur to the moon landings that (allegedly) didn’t happen, it’s surprising what people want to believe without any real basis in fact.