What is Risk Management?
Risk Management is the process of identifying, analysing and reducing risks. To understand risk management we first have to understand risks. Risk is the possibility of unwanted events happening which could affect the system in a negative or positive way. Examples of unwanted effects could be the degradation of performance of the system, destruction of any of the key component or introduction of any new factor which may deteriorate the system productivity. A couple of good examples of risks may be fraud committed by an employee, non-availability of key employees, reputation damage of a company etc. The idea of risks is not only limited to organizations, it also exists in our general lives like a tire getting flat while driving for an interview, AC not working, short circuits etc..
What is Risk Management ISO Approach
In terms of ISO 27001 and Information security, it specifically means risk to Information systems; examples can be virus attack, system getting down, corruption of data etc. In the exact terminology of ISO 27005 the definition of “Information Security Risk” is “potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization”. Now we have got three words to understand here threat, vulnerability, and assets. Threat is anything which has potential to damage the system, vulnerability means any loophole which that will allow it to. These threats and vulnerabilities ultimately affect the assets. Asset is anything which could be of use to organization like server, database, facility, people, papers and a lot many. Furthermore there are two more factors associated with risks i.e. probability and impact. Probability is the chance or the possibility that a particular threat will exploit any vulnerability and impact means the amount of damage that could occur.
Security Risk management is the set of activities done to identify, measure and work on them accordingly. If we follow the approach of ISO 27005, we have the following processes to follow in steps:
1) Context Establishment
2) Risk Assessment: Risk Identification, Analysis and Risk Evaluation
3) Risk Treatment
4) Risk Communication
Context Establishment The objective of this process is to understand the purpose of risk management and setting the basic criteria. In this sense factors of utmost priority of organization should be taken into consideration to find out areas of risk. For health insurance companies health data privacy is a greater risk area and for a pharmaceutical industry confidentiality of research data is utmost priority. Whereas for an outsourcing company client data protection is their major area of concern. Banking industry will strive to protect customer data privacy and secure online transactions.
Risk Assessment Risk assessment consists of risk analysis and risk evaluation. Risk assessment calculates the value of information assets, identifies threats and vulnerabilities and controls around them. Risk assessment could further be segregated into Risk identification and Risk estimation. Risk estimation could be qualitative and quantitative. Risk Evaluation is done on the basis of risk evaluation criteria and risk assessment criteria.
Risk Treatment According to ISO 27005 risks could either be reduced, retained, avoided or transferred. The practice of selection of treatment to risks according to the requirements and conditions at that point of time is called risk treatment process.
Risk Communication ISO 27005 recommends that Information about risk should be exchanged between the decision makers and other stakeholders. Most of the people would agree that it is important to provide assurance of the outcome of the organization’s risk management, share the results of risk assessment and finally to support decision making.
In conclusion risk assessment requires proper step by step approach and it has a workflow like the other processes of an organization.