ACI follows the recommendations, principles and guidelines of ISO 31000, the standard for risk analysis. The ISO 31000 Risk Management framework meets the requirements of Information Security Risk Management as outlined in ISO 27005. ACI provides detailed guidelines based on ISO 31000 and ISO 27005 on how to conduct risk assessment and management.
All businesses seek to reach their goal. Risk Assessment helps you achieve your business objectives. The initiatives outlined in the Risk Assessment improves the quality of your company’s products and services, no matter where your deliverables are used: internally or by your clients. Therefore Risk Assessment makes good business sense.
The Risk Assessment forms the basis for prioritizing the resources needed for security. The risk assessment measures risks (that is, threats and vulnerabilities) in relation to one another thereby focusing resources on what matters most or what is most vulnerable. The scenarios of the risk assessment, which are easily understood by all in the organisation and expressed without technical jargon, allow for an assessment of the company’s IT systems and business processes without requiring technical security insight. This method of risk analysis will ensure that risk can be compared and measured across all the organisation’s fields of operations such as IT, Facility, Economy, Production etc. The risk analysis is measured on the same likelihood and impact scale so a complete picture of the organisation’s risks can be grasped and prioritised in relation to one another.
Risk Appetite is defined as the amount of risk that an organisation is willing to take in order to meet its objectives. Benefits are weighed in the balance. For example, the ability to be innovative and dynamic is weighed against the necessary level of security. You will typically expect a high level of security for systems, processes and information availability, integrity and confidentiality. Conversely, companies would not implement a security level so high so that it negatively impacts on the ease of use and flexibility of the services offered to employees and customers. A definition of risk appetite is necessary to evaluate the results of the risk analysis.
The evaluation process starts with a review of the business hierarchy thus identifying the areas and scope of the risk analysis. A threat and vulnerability analysis results in the identification of key assets and scenarios. The scenario analysis contains: an asset, event description and likely negative consequences. Should the event described in the scenario analysis actually occur, representatives of the business will be able to quickly and easily gain an understanding of problem and follow the protocols outlined in the risk assessment.
A representative of the business assesses the impact for each scenario outlined in the risk assessment. The likelihood of the scenario occurring must be assessed by persons with knowledge of previous events and the current security threat. Likelihood of the event happening is based on the current controls that are in place and experience based on previous events.
Assessing the risk:
Risk = cost of consequence x likelihood.
A Risk number expresses the potential loss per year for each individual risk in the scenario analysis. This figure is based on the cost of the consequence times the likelihood of the event actually happening, i.e. estimated economic loss per event times estimated number of events per year. The risks outlined in the scenario analysis are sorted in a risk matrix with the events with greatest risk at the top and the lowest risk at the bottom. It is now management’s decision whether to accept the risk level or not. A risk mitigation plan for high risk events estimates the cost of lowering the risk and the consequence of doing so. Typically the risk assessment results in the decision to use mitigation to reduce the level of high risk events.
It is advisable to first prepare an overall mitigation plan showing where the greatest risk reduction can be achieved in relation to available resources. This provides a basis for management to decide which risks to reduce. Thereafter a more detailed risk mitigation and reduction plan can be prepared for those risks selected by management.
Normalisation of consequences and likelihood
To provide a thorough evaluation and comparison throughout the organisation, consequence and likelihood must be evaluated using a uniform scale.
Likelihood is evaluated using a uniform scale such as the estimated number of events per year. Consequence is evaluated using a uniform scale such as the estimated financial loss caused by an event. Normalisation of the risk analysis makes it easier to evaluate risk scenarios and to compare risks throughout the organisation.
A risk analysis can use a scale like the one below.