Compliance is all about risk mitigation. Most of the compliance frameworks started as risk mitigation efforts. It’s important that the company knows where its risks are and spend the time and effort to minimize those risks.
It’s also important for a company to know what its risks aren’t. Within many of the compliance frameworks are hundreds of controls, all designed to mitigate specific risks. Depending on the company and the risks associated, some of these controls may not have to be implemented, or there may be compensating controls already in place. Why reinvent the wheel?
Understanding your risks early in the compliance process helps companies focus the compliance effort on the right areas.
Some compliance frameworks, specifically ISO 27001, require doing a risk assessment to ensure the company understands where its information security risks are and what controls are in place to mitigate those risks. Developing a strong and flexible risk assessment process is a important and should be a driver in the creation of your security controls.
Risk assessment is not an IT process – it’s a business process and needs to involved all departments. There are major risks in HR (staff turnover, firing people, training), accounting, administration (client information), customer support (validating identity of people making requests), IT (security systems, boundaries, system availability) and just about everywhere else. My first time going through a risk assessment process I made the mistake of thinking it’s a IT process and focused on the IT risks. I completely missed simple ones like “angry employee is terminated”!
Always start with a very high level pass of the company’s business processes. Hopefully you already have some sort of a process map to base the discussion on. From there, it’s easy to dive deeper (but not too deep) on critical systems within each process area.
To provide a sense of scale, in a recent ISO 27001 project I was involved in, we had 78 risks outlined in our first revision. I expect that will go up to 100 as they increase the scope of registration. Our auditor told of stories of (unnamed) companies with hundreds or thousands of risks, and how unmanageable their compliance frameworks became. Remember, you need to review these risks regularly! Keep the process simple and the scope manageable.
Done right, your risk assessment process will provide great guidance on what controls need to be in place with your compliance framework. It can be a very important tool for driving changes and security improvements throughout the company.