Use case: Cyber risk

Managing cyber security risk

The massive opportunities that digital technologies, devices, and media bring to a business are counterbalanced by a growing array of associated risks. With long-established businesses engaging in complex digital transformation projects, and new business entrants adopting cyber-only strategies, organisations of every size and sector are increasingly exposed to this class of risk.

According to the Institute of Risk Management (IRM), ‘cyber risk’ means any risk of financial loss, disruption, or damage, to the reputation of an organisation, from some sort of failure of its information technology systems. Cyber risk is never an issue purely for the IT team. An organisation's risk management function needs a detailed understanding of this ever-evolving category of risk, as well as the tools and methods available to mitigate them.

Information security controls are constantly evolving to address new threat sources, with organisations increasingly needing to focus on emerging areas such as:

• Effective supply chain controls
• Business use of cloud services
• Use of social media

Without a systematic approach to identifying the cyber risks faced by your business, there’s a high likelihood of overlooking threats that can cause significant damage. This is why so many best-practice frameworks, standards and laws – including the GDPR (General Data Protection Regulation) – require risk assessments to be conducted.

The international standard ISO 27001 defines a best practice framework for an Information Security Management System (ISMS) and is one of the most popular such standards worldwide. ISO 27001 defines a risk-based approach to managing information security that encompasses people, processes and technology. In the US, the NIST Cybersecurity Framework (CSF) is a standard that meets similar objectives to ISO 27001 but focuses more on self-certification. Following an established framework such as these will help your business, large or small, develop a stronger information security system.

RISKGRID underpins all stages of a cyber risk assessment – recording and collating the various information assets that could be affected by a cyberattack and aiding categorisation of the various risks that could affect those assets. The risk mapping engine of RISKGRID allows you to adopt a systematic approach to cyber risk estimation and evaluation, tracking improvements to risk exposure as the controls are adopted to treat identified risks. Using RISKGRID meets a core requirement of ISO 27001 for risk assessments to “produce consistent, valid and comparable results”.

ISO 27001 and NIST CSF align on the importance of “monitoring and review” as essential to a risk management process. RISKGRID supports this critical aspect by allowing incidents to be recorded, collated, and associated with plans to reduce residual risks and track ongoing improvements. This allows continual monitoring and review of the risk environment rather than being dependent only on periodic reviews.

Sign up to RISKGRID for free