Risk Assessment

The first step in building or improving an information security program is understanding what you currently have in place and what work needs to be done. The result of a risk assessment is a gap analysis document that details all of the different elements of an information security program which should be in place and what your organization has in each area. The standards for an information security program can differ across organization types due to the size, industry, and types of data stored. We take regulatory requirements into account such as GDPR, PCI, HIPAA, SEC-OCIE, IT-SiG as well as utilizing international security management system frameworks such as ISO27001/27002.

This engagement consists of four main phases:

  1. Information Gathering

    Information such as existing policies and procedures, asset lists, records, and logs are provided for review. In addition, relevant staff and management are interviewed to understand how processes and policies are implemented throughout the organization. The aim of this step is to identify what data, assets, and controls exist within the organization and how they are implemented.

  2. Identify Sensitive Data and Assets
    An asset inventory is created which reflects information gathered from the first stage and rates the criticality of each item based on it’s relationship to business objectives. Asset’s can include physical or digital records, equipment, and personnel.

  3. Risk Analysis
    The level of risk for each area of the information security program is calculated based on the effectiveness of the existing controls, the assets which these controls protect, and the relevant business objectives for each area. The aim is to identify the relevant risks to manage them in a sustainable manner.

  4. Identify and Establish Risk Management Measures
    A risk management plan is created which contains the identified risks and the changes to the existing control structure which have been defined for the treatment of the identified risks. Implementation guidance is provided along with the each measure to aid in the introduction of these changes to the organization.

We strive to provide guidance that is relevant and actionable. Our assessments will provide you with a clear road map for improving your information security program in a manner that will provide measurable results. We make ourselves available before, during, and after assessment activities to ensure that your organization is able to realize the full value of our deliverable.