SmartThink™ LLC specialises in IT governance, risk management and compliance solutions, with a special focus on cyber resilience, data protection, the GDPR, the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001 and cyber security.

Why carry out a cyber security risk assessment?

Application security is the process of making apps more secure by finding, fixing, and enhancing the security of apps. Much of this happens during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming more important as hackers increasingly target applications with their attacks.

Application security is getting a lot of attention. Hundreds of tools are available to secure various elements of your applications portfolio, from locking down coding changes to assessing inadvertent coding threats, evaluating encryption options and auditing permissions and access rights. There are specialized tools for mobile apps, for network-based apps, and for firewalls designed especially for web applications.

What does a cyber security risk assessment include?

A cyber security risk assessment identifies the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data and intellectual property), and then identifies the various risks that could affect those assets. A risk estimation and evaluation is usually performed, followed by the selection of controls to treat the identified risks. It is important to continually monitor and review the risk environment to detect any changes in the context of the organisation, and to maintain an overview of the complete risk management process.

ISO 27001 and cyber risks

The international standard ISO/IEC 27001:2013 (ISO 27001) provides the specifications of a best-practice ISMS (information security management system) – a risk-based approach to corporate information security risk management that addresses people, processes and technology. Clause 6.1.2 of the standard sets out the requirements of the information security risk assessment process. Organisations must: Establish and maintain certain information security risk criteria. Ensure that repeated risk assessments “produce consistent, valid and comparable results”. Identify “risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”, and identify the owners of those risks. Analyse and evaluate information security risks, according to the criteria established earlier. It is important that organisations “retain documented information about the information security risk assessment process” so that they can demonstrate that they comply with these requirements. They will also need to follow a number of steps – and create relevant documentation – as part of the information security risk treatment process.
error: Content is protected !!