Information Risk Management (or IRM) is the process of identifying, understanding and managing the risks to information within the context of an organisation’s business needs.
IRM: the most effective way to address information security concerns
Information Risk Management is what we do here at Ascentor. To assist your company or organisation to manage information risk effectively, here is our best practice approach – the Ascentor four-step action plan for any business that is serious about protecting its valuable information.
Ascentor’s Four-step Information Risk Action Plan
|
Risk Management Steps |
Objectives |
Ascentor’s Information Risk Management approach |
| Step 1: Identify what to protect | Establish the Scope | 1. What are the information systems you want to apply information risk management to? |
| Establish the Business Function | 2. Be clear on the business aims and drivers. | |
| Establish the Business Context | 3. Understand the environment the business operates in e.g. your legislative, contractual and regulatory compliance requirements. | |
| Identify your Assets | 4. Attach value to your information. Realise the importance of information security and get it on the Board’s agenda.
5. Understand the value in your information and where it sits. |
|
| Step 2: Identify what you are trying to protect it from | Risk Assessment | 6. Identify the biggest risk to your business and the areas most affected – what are the threats and where do your vulnerabilities lie?
7. Get an understanding of how the risks are managed today. 8. Carry out a strategic risk review of the business – a gap analysis of where you are now versus where you want to be. |
| Step 3: Determine the best way to protect it | Risk Treatment | 9. Make someone accountable for information security. Make someone responsible for information risk management.
10. Put your information risk management strategy into action across all areas of the business (not just IT). Make sure your people are aware of their responsibilities. |
| Risk Management | 11. Develop processes and procedures for the continuing review and feedback of risk management. | |
| Apply Controls and Countermeasures | 12. Develop contingency and incident management plans. Test them regularly.
13. Carefully manage the impact of each business or systems change. |
|
| Step 4: Monitor and Review | Compliance | 14. Keep it going – ensure the business effecting information risks are reviewed at each Board meeting, making it part of your Business Risk Register review. |
| Training and Awareness | 15. People are key to success. Empower your staff to make the right decision, provide education and training. |
Next Steps
Take our free, online risk review – an instant self-assessment tool to find out where your risk lies – Online Information Risk Review
If you have any questions on Information Risk Management or would like an objective assessment of your organisation’s information risks and security practices please get in touch. The Ascentor team would be delighted to help.
