Top 10 risks to include in an information security risk assessment
An ISO 27001 risk assessment should have five key steps. In this blog, we look at the second step in the process: identifying the risks that organisations face. How to identify threats You must determine which can compromise the confidentiality, integrity and availability of each of the assets within the scope ... Read More
How to produce a risk treatment plan
The risk treatment plan is one of the mandatory documents that must be produced as part of a certified ISO 27001 ISMS (information security management system). It provides a summary of each of the identified risks, the responses that have been designed for each risk, the parties responsible for those ... Read More
Risk terminology: Understanding assets, threats and vulnerabilities
Whether you’re addressing cyber security on your own, following ISO 27001 or using the guidance outlined in the GDPR (General Data Protection Regulation), the process begins by assessing the risks you face. You might have a broad idea of what a risk is, but did you know there’s a specific ... Read More
GDPR data mapping tutorial: tips, tricks and techniques
A data flow map is a diagram that shows how sensitive information moves between one part of your organisation and another. For example, you might collect user information through a survey, which is then funnelled into a database used by your marketing team. If the data subject becomes a customer, ... Read More
ISO 27001: What’s the difference between a risk owner and an asset owner?
The latest iteration of ISO 27001 introduced the concept of risk owners in addition to asset owners. This strengthened the Standard’s stance that organisations must appoint people to take accountability for specific aspects of information security. But what exactly are risk and asset owners? We explain both terms in this ... Read More
ISO 27001: Understanding the needs and expectations of interested parties
Clause 4.2 of ISO 27001 details the needs and expectations of interested parties. An interested party is essentially a stakeholder – an individual or a group of people affected by your organisation’s information security activities. To identify your interested parties, ask yourself who is important for your organisation, who is ... Read More
How to choose the right strategy for ISO 27001 risk management
ISO 27001 is designed to help organisations identify the right approach to take when managing risks. You can’t apply defences to every threat you face, because that would be impractical and prohibitively expensive, so you need to determine when mitigation is the right strategy and when other risks can be ... Read More
How to write an information security risk assessment methodology
The purpose of an information security risk assessment is to prioritise threats so that you can allocate time and resources appropriately. To do that, you need a way of calculating the severity of these threats; that’s where the information security risk assessment methodology comes in. A methodology enables organisations to ... Read More
Managing risks according to Clause 6 of ISO 27001
Clause 6 of ISO 27001 is one of the most important aspects for compliance, as it covers the actions you must take to address information security risks. Everything else you do to meet the Standard’s requirements informs or revolves around the steps you take here. Mistakes at this stage could ... Read More
Monthly cyber security review: December 2019
We’re back with another round-up of some of the most notable information security stories of the past month. In this edition, we discuss a hospital employee who abused their power to contact patients, an update on last year’s Ticketmaster data breach and an upsetting incident at a Scottish high school ... Read More
