Managing Information Security Risks
Information security risk management is the process of working out where information could be lost, leaked, stolen or made unavailable, deciding what to do about it, and keeping track of those decisions over time.
If an organisation is pursuing ISO 27001 certification - the standard formalises the approach it must take, and stipulates how information security risks should be identified and treated, but the underlying logic is the same for any business that takes its information seriously.
The process involves a few stages: identifying risks, assessing them, deciding how to treat them, recording the controls and reviewing the whole picture on an ongoing basis. None of it has to be elaborate. A spreadsheet, kept current, will satisfy most companies and if being audited, most auditors too and is easier to actually use than a complex tool that nobody opens.
Identifying Information Security Risks
The first step is to look across the business and ask where information lives, who has access to it and what could go wrong. The scope is wider than most people initially expect - it includes IT systems, cloud services, mobile devices, email and messaging, paper records, premises access, suppliers and contractors, and the people who work in the organisation.
A useful starting point is to list the categories of information the business handles - personal data, customer data, commercial information, intellectual property, financial records, operational data - and then think about the threats that apply to each. Common categories of risk include phishing and social engineering, malware and ransomware, lost or stolen devices, cloud service failures, supplier compromise, insider misuse, and physical theft.
For each risk, the practical thing to capture is what the threat is, what the consequences would be, and which aspect of the information is at stake - confidentiality, integrity, availability, or some combination of the three.
Assessing Information Security Risks
Once a risk has been identified, the next step is to rate it. The two factors are how likely it is to happen and how harmful the consequences would be if it did. Combining the two gives a risk rating - tolerable, moderate or substantial in our scoring - which tells you where to focus attention and resources.
This is initially the inherent risk - the rating before any controls are taken into account. Most risks will be rated higher at this stage than they end up being, which is the point. The gap between inherent and residual risk is where the controls do their work.
Treating Information Security Risks
There are four practical options for treating a risk: reduce it by adding controls, transfer it to someone else (typically through insurance or by outsourcing the activity to a specialist), avoid it by stopping the activity altogether, or accept it as it is. Most operational information security risks are reduced through controls. Transfer is common for website hosting and cloud services. Avoidance is rare in practice. Acceptance is appropriate for low-rated risks where adding more controls would cost more than the risk is worth.
Whatever route is chosen, the rationale should be recorded. Auditors will accept that a risk has been accepted - they will not accept that no decision has been made.
For organisations working towards ISO 27001, each risk also needs to be linked to the relevant Annex A controls in the Statement of Applicability. The Statement of Applicability records which of the 93 controls in Annex A apply to the organisation and which do not, with a justification for each. The risk register and the Statement of Applicability work together - the risks drive which controls are needed, and the controls evidence how the risks are managed.
Residual Risk and Risk Owners
After controls have been applied, what is left is the residual risk. This is the risk the business is actually living with, and it is what the rating in the register should ultimately reflect. If the residual risk is still substantial, that is a signal that more controls are needed or that the activity needs to be reconsidered.
Each risk should have a named owner - the person responsible for the controls being in place and working. For information security risks the owner is often the IT manager, the information security lead, the data protection officer for personal data risks, or the managing director for high-level strategic risks. Risk owners do not have to be the people who carry out the controls, but they are the ones accountable for them.
Monitoring and Reviewing Information Security Risks
The risk register is a live document. It should be reviewed when something changes - new systems, new suppliers, new types of work, an incident, a near miss, a change in legislation - and on a regular schedule even when nothing obvious has changed. Most organisations review the register at least annually as part of management review, with more frequent review of higher-rated risks.
Threat intelligence feeds into this. The National Cyber Security Centre publishes regular guidance on emerging threats, and most organisations subscribe to alerts from their anti-malware vendor or managed service provider. Internal sources matter too - incident reports, audit findings and worker feedback all surface risks that need to be added to the register.
The risk register is the single most useful document in an information security management system. If you only have one thing, have this. It tells you what you are protecting, what you are protecting it from, what you are doing about it and who is responsible.
When I audit information security risk management I look at three things. Has the organisation identified the risks that genuinely apply to it, including the obvious ones like phishing and ransomware. Has each risk been rated, treated and given an owner. And does the register link to the controls that are actually in place, particularly the Annex A controls if they are pursuing certification.
I also check whether the register has been reviewed recently. A register that has not been touched in eighteen months tells me the management system is not really being used.
We rebuilt our register about two years ago after a near miss with a phishing email that nearly went somewhere it should not have. We had a register before that, but it was generic and not really ours. Going through it risk by risk and asking what could actually happen here made it much more useful.
Practical Compliance Guidance
The IMS1 manual covers information security risk management as part of the wider risk and opportunity process, sitting alongside the broader business risks tracked through the opportunities and risks register. The two registers complement each other - one captures information security specifically, the other covers the strategic and operational risks across the business.
The following alphaZ documents support a practical approach to managing information security risks.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Full document set for setting up an information security management system, including the policies, registers and procedures referenced below. |
| ER15 Information Security Risks Register | The working register for information security risks. Captures each risk, its rating, the controls in place, the residual rating, the SoA controls and the risk owner. |
| F-IMS25 Information Assets Register | List of the information assets the business holds and processes, used to inform what the risks apply to. |
| F-IMS26 Statement of Applicability | Records which Annex A controls apply, which do not and why. Required for ISO 27001 certification. |
| F-IMS23 Opportunities and Risks Register | The wider business risk register. Information security risks should be cross-referenced where they have strategic impact. |
| PP-8-100 Information Security Policy Procedure | The master policy that sets out the controls referenced from the risk register, covering everything from access control to backup and supplier security. |
| P-20 Information Security Policy | Top-level information security policy, used as the public-facing commitment to the controls in PP-8-100. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation is directly relevant to information security risk management. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.
- Computer Misuse Act 1990
- Data Protection Act 2018
- Network and Information Systems Regulations 2018
- Privacy and Electronic Communications Regulations 2003
