How to write an information security risk assessment methodology

by Luke Irwin on March 23, 2020

The purpose of an information security risk assessment is to prioritise threats so that you can allocate time and resources appropriately.

To do that, you need a way of calculating the severity of these threats; that’s where the information security risk assessment methodology comes in.

A methodology enables organisations to measure risks consistently across the business, avoiding biases and ensuring that every department is treated equally.

How does a risk assessment methodology work?

Information security risk assessment methodologies are designed to make sure that everyone responsible for assessing the organisation produces easily comparable results.

At its core, it states exactly how risks are defined – i.e. whether you document your findings qualitatively and quantitatively. If you opt for the latter, the methodology should include a guide that helps assessors calculate the scale of the risk.

Sponsorships Available

Methodologies also outline an organisation’s:

Baseline security criteria: the minimum set of defences to fend off risks;
Risk scale: a universal way of quantifying risk;
Risk appetite: the level of risk the organisation is willing to accept; and
Scenario- or asset-based risk management: the strategies to reduce the damage caused by certain incidents or that can be caused to certain parts of the organisation.

Two types of methodology

Organisations can choose one of two approaches for their risk assessment: asset-based or scenario-based.

With an asset-based risk assessment, organisations begin with a list of assets – such as digital files, databases and physical documents – and outline all the ways they could be compromised.

A scenario-based risk assessment takes the opposite approach. You’ll start by creating a list of ways that security incidents might occur and then follow the damage through your organisation, highlighting vulnerable parts of your organisations.

Although each approach has its merits – and ISO 27001, the international standard that describes best practice for information security, doesn’t advise one way or the other – an asset-based approach is generally the preferred option.

Writing an asset-based risk assessment methodology

If you opt for an asset-based risk assessment methodology, your first task is to produce an asset register – i.e. a list of locations that house sensitive data and the types of information that are kept there.

You can get this information by talking with asset owners – the individual or entity responsible for controlling the development, maintenance, use and security of that information.

Once you’ve produced the asset register, the next step is to identify and analyse vulnerabilities that could expose sensitive information.

The analysis should be based upon the confidentiality, integrity and availability of data, and take into account the likelihood of a breach and the impact that a security incident might cause.

A key part of the risk assessment involves scoring risks based on the likelihood that they will occur and the damage they will cause.

You should also consider the business, legal, contractual and regulatory implications of risks, including the cost of replacing the asset, the potential loss of income, fines and reputational damage.

How to get started

For more guidance on completing your risk assessment process, take a look at vsRisk Cloud. This software package provides a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.

Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.