What are the key steps to ensure a thorough and accurate risk assessment process?

Context is king A risk exists in a context and not in a vacuum. Make sure to, that you and those who participate in the risk assessment understand the context. Security risk Security risks are dynamic and changes in the threat landscape may happen very fast. Reevaluate the context if new information becomes available in later stages of the risk assessment process. Adapt and reevaluate as you go. Business impact Evaluate and understand the potential negative business impact if the risk is actualized. In the end of the day, the only type of risk that exists is business risk. Security risks, as any other type of risk will have an impact on the business. Make sure to understand that impact.

1.- Understand the business: List business services and industrial processes, identify owners, and assign importance levels for context and impact understanding. 2.- Identify assets: Create an inventory linked to services and processes, determining qualitative asset value. 3.- Identify vulnerabilities: Assess cybersecurity maturity, pinpointing procedural gaps, awareness levels, and technical weaknesses for each asset. 4.- Threat modeling: Analyze up to 10 likely threats, evaluating actors, capabilities, and TTPs. Offensive mindset. 5.- Risk scoring: Based on the threat model, determine the likelihood of exploitation for each vulnerability, considering asset context for impact assessment across services and processes.

One of the biggest risks to any ISMS is becoming redundant or irrelevant. With the ever changing landscape of information systems, perhaps the biggest challenge is to identify the shifts. Continuous review and update forms the bedrock of risk identification. Checks like regulatory and voluntary compliances, regular audits, vulnerability assessment, etc go a long way in proactive risk identification. These can be coupled with continuous monitoring, asset inventory management, scenario planning, threat intelligence, etc. to form a comprehensive risk identification policy.

Risk identification is an art form, honed through years of experience and vigilance. It's not just about recognizing obvious threats but uncovering hidden dangers—those that lie dormant until conditions are ripe. My approach has always been to combine data-driven methods with intuitive insights. This involves tapping into diverse information sources, from incident reports to employee feedback, and contextualizing them within a broader industry and global landscape. A robust risk identification process is akin to putting together a jigsaw puzzle; each piece provides a glimpse into potential vulnerabilities and emerging threats, shaping a comprehensive risk landscape.

In any practical scenario, risk analysis would be a mix of subjective judgements and hard numbers often driven by organisational policies or compliance adherence. These in turn would be guided by the impact (actual or expected) each of the identified risks carry.

Start with threat identification; this will facilitate better risk identification and analysis. Using tools such as threat modeling allows for a more precise identification of risks relevant to your business, organization, or IT system. This is crucial as it enables a more focused approach to the threats that are particularly relevant to you.

Evaluating risks is the fourth step in the risk assessment process and is crucial to determine whether identified risks are acceptable or unacceptable. This assessment is based on your organisation's established risk appetite and tolerance. Risk appetite represents the level of risk your organisation is willing to accept in order to achieve its objectives, while risk tolerance specifies the range of variation from the established risk appetite that is still acceptable. To aid in this evaluation, organisations often employ risk evaluation criteria such as a scoring system or ranking scale. These criteria help prioritise and justify decisions regarding which risks should be addressed and how they should be managed.

In line with SIG's SRA practices, the evaluation of risks within an ISMS closely resonates with methodologies. By determining the acceptability of risks based on a defined risk appetite & tolerance, our approach echoes SIG's emphasis on structured risk assessment. We utilize similar risk evaluation criteria(scoring systems or ranking scales) to align with SIG's best practices. This process ensures prioritization and justification of risk decisions, a fundamental aspect emphasized within both SIG's software risk assessment and our approach to ISMS risk evaluation. Through this aligned strategy, we aim to uphold security excellence & fortify systems against potential threats, remaining consistent with high standards for SRA.

Treating risks is where strategic planning meets practical execution. In my decades of experience, I've seen that effective risk treatment requires a nuanced understanding of not just cybersecurity but also the organization's operational dynamics. It's about crafting solutions that are not only technically sound but also pragmatic and aligned with the business's core objectives. This step is not just about mitigating risks but also about leveraging them for organizational growth and resilience, ensuring that the cybersecurity strategy supports and enhances the overall business strategy.

Risk treatment is the critical fifth step in the risk assessment process. It involves strategic actions to manage identified risks. Options include avoidance, reduction, transfer, or acceptance. A risk treatment plan, like a risk register or action plan, is crucial for documenting and monitoring actions. Consider the costs and benefits of each option and be aware of any residual risks that may remain. Effective risk treatment ensures proactive risk management, helping organisations make informed decisions to mitigate potential threats to their operations and objectives.

Involve stakeholders. Stakeholders can provide valuable insights into the effectiveness of your risk treatment actions and the risks that you are facing. Use data and metrics. Data and metrics can help you to measure and track your risk performance over time. Be objective. It is important to be objective when reviewing your risk performance. This means being willing to identify areas where improvement is needed.

Consistency is king. Risks are often reviewed following 'typical'. 'standard' frequencies of once or twice per year. Risks and their respective mitigating controls are extremely dynamic, especially when associated with technology. Therefore, reviews should be conducted on an on-going basis, ensuring that it forms part of day-to-day ops. No need to reinvent the wheel or overcomplicating matters. A simple structure and schedule to ensure consistency will do the trick.

Trust but Verify! As we have seen from the many breaches in 2023, cybersecurity certifications are worthless at predicting which organizations will be breached. Sadly, these certifications/attestations are not risk assessments. An actual RA will verify the controls are in place and be rather prescriptive. For example, looking at strong passwords. Asking for a screenshot of the actual password configuration screen in MS ActiveDirectory rather than looking at the password policy written document. Make sure the PRACTICE matches or exceeds the POLICY!

Validate controls! Do not expect implementations of risk mitigating controls to just 'work' if they are never verified and validated.