Compliance for virtually all governance risk and compliance frameworks
An Information Security Threat & Risk Assessment is the first and most crucial step in information security risk management. It is the process to define, locate and categorise the information assets associated with your business, determine the security threats and vulnerabilities associated with those assets, and to mitigate those threats in line with your business goals and identifies exactly what your business needs to protect, where it’s located and why you need to protect it in real cost impact terms that everyone should understand
All things originate from conducting this assessment. If you are security testing your systems and have not conducted a threat assessment, you are wasting your time and money as the objective of any security testing should be access to information that you are trying to protect.
The outcome provides clear security objectives for your architecture, policies, procedures, employees, testing, incident response and business continuity planning and should serve as your meter-stick for budgeting.
Conducting Information Security Threat & Risk Assessments is an internationally recognised best practice and required for compliance to virtually all governance risk and compliance frameworks
An Information Security Threat & Risk Assessment should be conducted at least annually or after any significant change to your systems or business processes.
- Provide an information asset register for your completion by your business stakeholders.
- Confirm your business-specific information assets, their location and value.
- Conduct a network security vulnerability scan of your systems.
- Identify and quantify security threats to your business information assets.