What information, where? The first step in Information Risk Management

Before you look at how to protect your valuable information it is important to be clear on what information you need to protect and where it sits in your organisation. This is a vital first step in the Information Risk Management process (see Ascentor’s 4 step Information Risk Management Process )and one that is sometimes forgotten.

Things change fast with business and information

Many organisations carried out a data audit when privacy legislation first came in (this was a requirement of the Data Protection Act of 1998 ) but this was a long time ago now. It was a snapshot in time, and things change fast when it comes to business and information.

As your company grows, so do your information risks. Information volumes creep up over time: strategic decisions, new projects, new partnerships, new technology – all have an impact and require careful change management.

Is that new information more or less valuable than that previously held; does that new contract require more or less rigour in the protection of the customer’s data? Important questions that need an answer.

The need for regular audit

In the way that good stock control starts with an understanding of what stock is held and where it can be found, so the management of information and consequently information risks must start with knowing what information is held and where. But this can’t be a ‘once and done’ activity.

Organisation’s need a regular audit process that allows for the recording of all information and where it sits. Regular information audits will help you to understand the value of your information – a crucial process to embed in the business, ideally undertaken every year; sometimes more often in high risk or dynamic environments.

Good decisions require good information

Knowing what and where your valuable information is will enable you to make better investment decisions on how to protect it, ensuring money is spent on controls that mitigate the risks you care about the most, not the ones the hardware and software resellers want you to spend money on.

Managing information risks gives you the visibility and confidence you need to make the right decisions to protect your information and strengthen your business. It all starts with knowing what information, where.

Is it time for an information audit?

Article by Dave James , MD of Ascentor

Other articles you might like:

You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.