Information Security Risk Management: A Step-by-step Guide to a Clear Process

Information security risk management is a fundamental part of any successful cybersecurity strategy.

At its core, information security risk management is the process of identifying, evaluating, treating and monitoring risks. Goal is to have a clear process that leads to finding the biggest risks, and using own resources efficiently to decrease them.

The process boils down to four key steps: identification, evaluation, treatment and monitoring. First you identify what you're up against. Then you analyze the risks (especially their likelihood and impact) to get them in a prioritized order. Then you decide on the treatment for a controllable amount of highest risks, which usually means the additional security measures to lower the risk's likelihood or impact. Once the actions have been implemented, these risks are treated for now. You might still want to evaluate the residual risk and then move on to treat next highest level risks.

When put like this, the process might not sound too daunting. But in an organization, there's many point-of-views to take into account: many different kinds of risks, different key assets you might want to identify risks specifically for, or different teams of people to involve in the process.

We'll next dive deeper into key success factors in these risk management process steps. Remember, a well-implemented risk management process can greatly reduce the likelihood and impact of a major security breach.

What are some examples of information security risks?

Information security risks come in many shapes and forms. In one way or another, they compromise the confidentiality, integrity, and availability of organization's information assets. Here are some common examples:

• Data system related risks: For example ransomware attacks, account takeover attacks e.g. due to poor password practices, uncontrolled access management practices or technical vulnerabilities.  
• Remote work and mobile device related risks: These can range from man-in-the-middle attacks, to lost devices or eavesdropping.
• Personnel related risks: Examples include threat actor infiltration to peronnel, roque ex-employees, human errors by unaware employees or data leakages through insiders.
• Physical security risks: For example vandalism, theft, physical unauthorized access to critical equipment or failure of access control in general.
• Incident related risks: These can range from slow reacting to security incidents, technical vulnerabilities company is unaware of, sanctions through unreported security breaches.
• Development related risks: Examples include unmanaged or identified technical vulnerabilities, uncontrolled third party dependencies,
• Partner related risks: For example partner-related downtime in our processes, supply chain attacks, inadequate monitoring of critical partner's security capabilities, partner continuity issues (e.g. bankruptcy).  
• Email and phishing related risks: These can range from general phishing attacks to spear phishing, account takeover, password leaks through unnoticed data breaches and business-email-compromise representing our key personnel.
• Technical cyber security risks: Examples include missing security updates, inadequate logging and inability to investigate breaches, uncontrolled changes to services, destruction of backups.
• Privacy related risks: For example unclear privacy communication, penalties for inadequate protection of personal data, investigations based on data subject complaints, penalties for inadequate data protection reporting.  

Addressing these risks requires a comprehensive information security program that includes technical, organizational, and people measures. Measures should be continuously updated to respond to evolving threat landscape.

Pre-steps: What kind of information security work should be done before diving into risks?

This initial step in risk management is all about thinking what could potentially go wrong. You need to think about potential threats and related vulnerabilities that could jeopardize your information security.

Pre-step: Identify and document your information assets

As an integral first step in information security risk management, you need to clearly identify and document your information assets. These include valuable data and documents (e.g. customer records, employee details, financial information, intellectual property) and the software assets used for handling those (e.g. CRM systems, HR systems, production systems, ERP systems). But recall, it's not just about digital data. Physical sites (e.g. offices, data centers,) and physical assets (e.g. servers, computers and other important hardware) that give access to this digital data are also important.

Along with assets it's crucial to understand the stakeholders needed in managing them. How are e.g. important data system providers or processors of personal data? Also your own employees, especially different units with important data processing responsibilities, are important assets for your organization's information security.

Finally, documenting the assets in clearly organized manner will streamline your risk management process. This documentation should be dynamic – updated as new assets are added or old ones are retired. Some organizations also continue to mapping the locations and flows of information to help uncover potential vulnerabilities, but this gets already a bit more advanced.

Pre-step: Identify and document your current security measures

For successful information security risk management, you need to understand what you are protecting (the assets) and how you're currently implementing the protection (security measures).

Your current security measures will most certainly include technical measures like intrusion detection or endpoint protection software, organizational measures like company policies on password strength and granting user access rights, and people measures like rules for secure remote work or mobile device use. Before you take a comprehensive look at all safeguards currently in place, you can't successfully evaluate and compare risks to oneanother.

Documenting your assets and current security measures creates the basis for your ISMS (information security management system). When doing this, you can already spot some default best practices missing, which you can fix already without going through the risk management process. But after you have your current measures inventoried and documented and you're relatively happy with them, then you'll get most out from the robust risk management process in improving even further.

Understanding where your cybersecurity stands today is a critical step in building a more resilient tomorrow.

Step 1: Identify risks - what kind of events could harm us?

This initial step in risk management is all about thinking what could potentially go wrong. You need to think about potential threats and related vulnerabilities that could jeopardize your information security.

Information security risks come in many shapes and you can certainly use example lists to assist your thinking. Technical vulnerabilities in code, rogue ex-employees or poorly managed partner companies are different, but all relevant sources for information security risk.

Both technical and organizational knowledge are important for identifying risks. Keeping an eye on current security news is also one way to keep uptodate on latest threat vectors and see what kind of risks have been realized in neighbouring companies.

Challenges often arise due to the dynamic nature of both technology and threats, as well as complexities of the systems. However, systematic risk identification lays the groundwork for the next steps of risk evaluation and treatment. It's a process you need to keep running for a while to find the best ways that work on your organization.

Tips for successful risk identification:

• Define the used risk identification methods. Are you having workshops? Are you using example risk lists? Are you using automated risk idenfitication tools? Are you doing penetration testing? Or how do you ensure, a reasonable amount of relevant information security risks is continuously identified?
• Define the used point-of-views. Are you identifying risks generally from the whole organization's point-of-view? Or are you taking an asset-based perspective to identify risks from the point-of-view of e.g. a single data system, process or change? Both approached are valid and should often be combined for best results.
• Focus on quality, not quantity. Key benefit of risk identification is better understanding of your security environment. It might be beneficial to identify also risks that are not too severe or likely, but not tons of them. In the next steps you will anyway focus on the most urgent risks first. You can identify more risks later anyway. Too many open risks just get your process stuck.

Smart ISMS tools can automatically identify some general risks and even order than according to your measures

Step 2: Evaluate risks to get them prioritized properly

Risk evaluation puts identified risks in an order. Evaluation means finding clear values for the impact and likelihood of the risk and thus finding out the risk level. For each risk you should examine potential risk scenarios, their likelihood, and potential impact.

The point is to find out which are the urgent risks to focus on right now. Only with the highest priority risks it's smart to continue to the next steps about treatment, i.e. defining mitigating measures to lower risk impact or likelihood.

To analyze and determine the risk likelihood value, you should be thinking about the potential incident scenarios leading to the realization of the risk. By listing the scenarios you ultimately be able to determine e.g. estimate the probability (%) of the risk happening in a year and then turn it into a risk value (e.g. 10% = moderate).

Aspects like the related activity being very rare, good existing security controls or comprehensive guidance for related employees could make the risk less likely in your evaluations.

To analyze and determine the risk impact value, you should be thinking about the consequences of the risk. Risk impact should be seen broadly - it can inlude financial impacts, reputational damages, legal consequences, interruptions of services and thus lost business or lost competitive advantage (and sometimes even direct threats to people's health). By thinking through different consequences you should be able to estimate monetary impact (€) of the risk and then turn it into a risk value (e.g. 100k€ can equal high in some organizations).

Aspects like small amount of related assets, the related activity having only a limited significance for your organization or strong existing security controls could lower the risk impact in your evaluations.

Tips for successful risk evaluation:

• Be very clear with evaluation scales. Are you using a scale of 1-3? Or 1-5? Or finer values? Whichever you choose, the key thing is that every participant needs to understand in detail, what it means if risk impact is 2 - Low, or 5 - Critical. You need to write clear descriptions for different levels. Low impact might mean under 20k€ damages for some organization, high likelihood that the risk is estimated to occur once every 2 years.
• Define acceptable risk level. Usually risk level = impact x likelihood. By setting an acceptable risk level (e.g. 8), you help focus on your risk work. If you're using time to evaluate or even discuss a risk that's anyway under the acceptable risk level, then you're basically not doing things smart.

Step 3: Treating the biggest risks - how to lower their level?

After first 2 steps, you should have created a clearly prioritized list of different information security risks. During risk treatment you plan and implement measures to lower the highest risks. Some risks you might be able to share or eliminate, but usually in information security you're deploying some kind of new protections to reduce the impact or likelihood of the risk.

In more concrete terms, treating a certain risk might involve creating better organizational controls (e.g. clearer monitoring processes, stricter contracts, guidelines for employees), implementing better technological protections (e.g. encryption software, alarm systems, vulnerability scanning) or improving guidelines and instructions for employees (e.g. about remote work, password usage, personal data processing).

Creating the treatment plans for risks can benefit from collaboration and expertise from multiple areas. Your task is to find the best way to bring down the risk level with the minimum needed investment.

Tips for successful risk evaluation:

• Define your limit for "risks in treatment". Every organization has limited resources for information security. According to the broadness of your activities you should be setting yourself some limits. You can have e.g. max. 10 risks in treatment at a time. Then you can revisit those risks regularly and focus on completing the treatment. Then you move on to treat next risks. This is the way to keep the process clear and systematic.
• Revisit "risks in treatment" regularly. If you have a monthly risk management workshop, what do you do first? You should probably visit the risks that have treatment plans already. Have they been carried out? If some of them have, it's time to pull more risks into treatment from top of the evaluation pile.

Step 4: Best practices for risk monitoring

Through the first three vital steps in information security risk management you've basically done a major part of the work.

The point in risk monitoring is to ensure, that you get back to relevant risks with selected intervals. Things change - either around your organization or inside it. Cyber security threats evolve, new regulations come up and you might make big organizational changes (e.g. add a lot of new personnel, launch new products, etc.). These kinds of changes may need to affect your risk evaluations.

When a risk changes significantly, it might no longer be within acceptable boundaries. This is also tightly related to residual risk evaluation.

Residual risk refers to the risk remaining after risk treatment has been applied. So the risk is basically re-evaluated according to the same criteria as before treatment. Evaluating this residual risk ensures that you're aware of the remaining risk, although it has basically been accepted.

• Understand biggest residual risks. Communicating biggest residual risks for organization's top management or other stakeholders might be relevant. This way you can openly highlight, that risks have been identified and actions have been made, but e.g. with current resources noticeable risks are still remaining.
• Automate risk monitoring. Smart tools can offer features like yearly reminders for risk owners, to either confirm easily that no significant changes related to the risk have happened, or update evaluations and bring the risk back to active steps, if it is no longer in an acceptable level.

Special: Connecting asset-based risk identification to general risk assessment

Your key assets refer to the most important components in your organization's data processing environment. They're the core that you're trying to keep safe with your security measures. Some examples of key assets include e.g.:

• Key data stores: Undoubtedly one of the most valuable assets an organization possesses. It can be anything from sensitive user information, databases full of customer-owner data, product details, financial statistics, or proprietary research.
• Key data systems / software: The applications and systems that keep your processes running. Valuable software could include customer relationship management tools, database systems, or custom-built applications.
• Key processes: Your processes need to keep running to ensure business continuity.
• Key partners: Irreplaceable partners, whose problems also would prevent the continuity of your operations.
• Key sites: Your physical locations which are essential for running your operations.

Utilizing asset-based risk identification in connection with more general risk assessments is a great way for getting even better results out from your risk management efforts.

Asset-based risk identification will help you:

• Delegate responsibility of risk identification and assessment to asset owners
• Identify more detailed risks, which are often also more straighforward to treat
  
• Ensure the point-of-views of any key assets are not forgotten when carrying out risk assessments

Smart ISMS systems can force your key asset owners to go through risk identification workflows.

Conclusion

In any robust information security program, systematic risk management is one way for continuously improving the information security. By adopting a structured approach to identifying, evaluating, treating, and monitoring your organization's information security risks, you're well-positioned for success.

From our discussions of risk identification, risk evaluation, to risk treatment and monitoring, you've learned that this process is a cycle, not a one-time effort. By continuously reassessing your security posture using the risks, your organization will always be ready for whatever risk comes next.

You shouldn't dive straight into risk management though. Documentation of your information assets and current defenses forms a foundation for effective risk management. Involvement of key stakeholders, open communication, robust analytics, and effective collaboration are also elements that make up the successful risk management program.

Information security is not a luxury - it's a necessity. The time to build a robust process for managing your organization's information security risks is now.

‍