Risk assessments are essential for GDPR compliance

Any organisation within the scope of the GDPR (General Data Protection Regulation) must conduct regular risk assessments.

This is the only way that you can be sure that you’re properly identified potential security incidents and that your defences measures are appropriate.

DevOps Connect:DevSecOps @ RSAC 2022

What is a risk assessment?

A risk assessment is the process of identifying, analysing and evaluating threats and vulnerabilities. In an information security context, risk assessments are crucial for working out the ways cyber criminals and employees might compromise sensitive information.

The best practices for information security risk assessments are outlined in ISO 27001, the international standard for an ISMS (information security management system).

The Standard instructs organisations to identify every area in which an organisation holds sensitive data and determine the ways it might be compromised. The organisation must then assign each risk a score based on how likely the threat is to occur and how damaging it will be.

The results of the risk assessment determine how the organisation should proceed with its defence measures. For example, threats with the highest score become organisational priorities that need to be addressed urgently, whereas those with lower risks can generally be tolerated.

How risk assessments help you achieve GDPR compliance

Risk assessments are a core component of the GDPR. Article 32 of the Regulation states that organisations must implement “technical and organisational measures to ensure a level of security appropriate to the risk”.

To do that, you need to know what your risks are and how severe the threat is.

Following ISO 27001’s framework will help you identify the most appropriate solutions for mitigating risk and ensure that you meet the GDPR’s requirements to:

  • Safeguard the confidentiality, integrity, availability and resilience of processing systems and services;
  • Quickly restore the availability of and access to personal data after a data breach; and
  • Regularly test the effectiveness of technical and organisational measures for safeguarding the security of processing.

People, processes and technology

An ISO 27001-compliant ISMS presents a holistic approach to information security, providing protection on three levels: people, processes and technology.

This means that organisations are equipped to defend themselves whether the risks are from negligent or malicious employees, ineffective procedures or malware and system vulnerabilities.

Supported by top leadership, an ISO 27001-compliant ISMS is incorporated into your organisation’s culture and strategy, and is continually monitored, updated and reviewed.

This continual improvement process ensures that organisations are prepared for changes in the cyber threat landscape and inside the organisation. After all, cyber criminals’ most common methods of attack are always evolving and changes to the way your organisation operates might expose you to vulnerabilities.

Risk assessments made easy

Conducting a risk assessment is a tricky task, and mistakes could affect the long-term security of your organisation.

That’s why we recommend using vsRisk Cloud. This risk assessment software tool helps organisations conduct information security risk assessments efficiently and easily, eliminating the need for spreadsheets, which are prone to user input errors and can be difficult to set up and maintain.

The software tool is:

  • Easy to use. The process is as simple as selecting some options and clicking a few buttons.
  • Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
  • Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
  • Streamlined and accurate. Drastically reduces the chance of human error.




*** This is a Security Bloggers Network syndicated blog from Vigilant Software Blog authored by Nicholas King. Read the original post at: