What information does your organization hold? Who has access to what information? Which routes are used to distribute this information? What risks does this present to your organization? And what can you do to mitigate them? These are just a few of the questions you need to have answered. All this is vitally important, because a data breach can have enormous consequences. At the same time, customers are demanding increasingly that organizations be able to demonstrate that their information security is up to scratch. A risk analysis is an essential aspect of setting up and designing your information security. In this blog you will find the answers to the following questions:
- Why perform a risk analysis for information security?
- Which certifications are useful for your organization?
- What else should you know about ISO-27001?
Why perform an information security risk analysis?
The best-known information security standard is ISO-27001. A risk analysis is a first step towards certification. That’s because controlling any possible risks forms the basis for information security.
First you determine a method for the risk analysis. This might include SPRINT, CRAMM and MAPGOOD, with which you perform the analysis to show where the risks lie. Then you determine what measures you will take, and you document this. Finally you prepare a Statement of Applicability (SoA). This comprehensive document contains around a hundred management measures that will mitigate risks. All this is an intensive process, but it does add value. That’s because the SoA establishes the connection between the risks arising from the risk analysis, the control measures from the standard, and the measures your organization has taken.
Which certifications are useful for your organization?
Alongside ISO-27001, there are several other information security certifications. These also require a risk analysis. Among other things you can engage DEKRA for: