Cyber Security Risk Management

Cyber threats are constantly evolving. The most effective way to protect your organisation against cyber attacks is to adopt a risk-based approach to cyber security.

A risk-based approach ensures that the cyber security measures you implement are based on your organisation’s unique risk profile. You’ll save time, effort and money by avoiding addressing unlikely or irrelevant threats.

GRC Solutions can help you develop a cyber security risk management strategy, enabling you to take a systematic approach to managing your security challenges.

Find out more about our solutions

Cyber risk management means identifying, analysing, evaluating and addressing your organisation’s cyber security threats.

The first part of the cyber security risk management process is a cyber risk assessment. This risk assessment will provide a snapshot of the threats that might compromise your organisation’s cyber security and how severe they are.

Based on your organisation’s risk appetite, your cyber risk management programme then determines how to prioritise and respond to those risks.

Learn more about cyber security risk assessments

Although specific methodologies vary, a risk management programme typically follows these steps:

1. Identify the risks that might compromise your cyber security. This usually involves identifying cyber security vulnerabilities in your system and the threats that might exploit them.
2. Analyse the severity of each risk by assessing how likely it is to occur and how significant the impact might be if it does.
3. Evaluate how each risk fits within your risk appetite (your predetermined level of acceptable risk).
4. Prioritise the risks.
5. Decide how to respond to each risk. There are generally four options:
   • Treat – modify the risk’s likelihood and/or impact typically by implementing security controls.
   • Tolerate – make an active decision to retain the risk (e.g., it falls within the established risk acceptance criteria).
   • Terminate – avoid the risk entirely by ending or completely changing the activity causing the risk.
   • Transfer – share the risk with another party, usually by outsourcing or taking out insurance.
6. Since cyber risk management is a continual process, monitor your risks to ensure they are still acceptable, review your controls to ensure they are still fit for purpose, and make changes as required. Remember that your risks continually change as the cyber threat landscape evolves, and your systems and activities change.

Risk management is a key requirement of many information security standards and frameworks, and laws such as the GDPR (General Data Protection Regulation) and NIS Regulations (Network and Information Systems Regulations 2018).

ISO 27001

ISO/IEC 27001:2022 – the international standard for information security management. Clause 6.1.2 of ISO 27001 states that an information security risk assessment must:

• Establish and maintain information security risk criteria;
• Ensure that repeated risk assessments produce “consistent, valid and comparable results”;
• identify risks associated with the loss of confidentiality, integrity and availability of information within the scope of the information security management system;
• Identify the owners of those risks; and
• Analyse and evaluate information security risks according to the criteria established earlier.

Learn more about ISO 27001 risk assessments

The NCSC’s 10 Steps to Cyber Security

The NCSC’s (National Cyber Security Centre) 10 Steps to Cyber Security  – a set of ten practical steps that organisations can take to improve the security of their networks and the information carried on them. Defining and communicating your board’s information risk management regime is central to your organisation’s overall cyber security strategy and the first of the ten steps.

The CIS Controls

CIS (Center for Internet Security) Controls  – the CIS Controls are a set of 18 actions for cyber defence, which provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.

The PCI DSS

The PCI DSS (Payment Card Industry Data Security Standard) – applies to organisations of any size that accept card payments. Protecting digital cardholder data requires adherence to all the PCI DSS data security requirements. There are 12 PCI DSS requirements, which apply to “all system components included in or connected to the cardholder data environment”. Requirements 5 and 6 deal with implementing and maintaining a vulnerability management programme – an essential part of risk management.

Our risk assessment consultancy service includes guidance and advice on developing suitable methods for managing risks in line with the international standard for information security risk management, ISO 27005.

Our service typically includes:

• Establishing internal and external risk context, scope and boundaries, as well as the choice of risk management framework;
• Identifying and assessing risks in terms of their consequences to the business and the likelihood of their occurrence;
• Establishing communication lines with stakeholders to inform them of the likelihood and consequences of identified risks and risk statuses;
• Establishing priorities for risk treatment and acceptance;
• Establishing priorities to reduce the chance of risks occurring;
• Establishing risk monitoring and risk review processes; and
• Educating stakeholders and staff about the risks to the organisation and the actions being taken to mitigate those risks.

Who is the cyber risk management service designed for?

We can deliver our risk management consultancy to organisations of any size – small, medium and large enterprises – and where IT infrastructure includes complex legacy systems and newer operating systems whose interoperability is not always seamless.

It is beneficial to public-sector organisations such as those that engage with the NHS and HMRC, and to local councils and other government agencies that provide services across different channels to diverse groups of users – the interchange of personal data across different platforms requires greater vigilance and methods of protection.

GRC Solutions specialises in providing best-practice action plans, consultancy services, risk assessment, risk management and compliance solutions, focusing on cyber security, cyber resilience, data protection and business continuity.

In an increasingly punitive and privacy-focused business environment, we are committed to helping organisations protect themselves and their customers from the perpetually evolving range of cyber threats. Our deep industry expertise and pragmatic approach help our clients improve their defences and make critical strategic decisions that benefit the entire business.

IT Governance, trading as GRC Solutions, is recognised under the following frameworks:

• UK government CCS (Crown Commercial Service)-approved supplier of G-Cloud services.
• CREST certified as ethical security testers.
• Certified to:
  • Cyber Essentials Plus, the UK government-backed cyber security certification scheme.
  • ISO 27001, the world’s most recognised information security standard.
  • ISO 9001, the international standard for quality management.