500+ customers place their trust in us – from startups to large companies
Your goal
You want to focus on your critical assets and identify the threats, vulnerabilities and risks affecting them, as well as derive targeted, effective, appropriate and economically reasonable measures from them.
Our service
We support you in establishing an effective and yet pragmatic risk management within your Information Security Management System (ISMS) incl. methodology, roles, committees and responsibilities.
The result
You have successfully identified your assets, including the numerous threats and risks affecting them. And you have appropriate measures in place to reduce or minimise these risks and the attack surface.
We support you
With more than 10 years of information security experience
- Designing and implementing an effective methodology for dealing with information security risks.
- Conducting and moderating workshops to identify and assess the relevant risks.
- Definition and identification of appropriate measures.
- Optionally, advice and support in the selection of a suitable risk management or GRC tool (= governance, risk and compliance).
The steps to your InfoSec risk management
Create the right framework
Risk management process and governance
Before we start recording your risks, we first define the necessary framework conditions. These include:
- Definition of the risk appetite, as well as the exact risk methodology (protection needs or risk levels, aspects to be considered in the risk assessment, ...).
- Define and assign responsibility for the (regular) implementation of the risk management process.
- Define and assign responsibility for (residual) risks.
- Establishing the framework conditions for the acceptance of risks.
- Establishment of necessary communication channels and interfaces ( for example) to the company-wide risk management or to other risk management systems.
Identify primary assets
Determining protection needs
When determining the protection needs, we record all 'primary assets' (= processes and information) in the scope of the ISMS and evaluate them according to the protection needs
- Availability,
- confidentiality and
- integrity.
Based on the primary assets, we identify the necessary resources (= applications, systems, networks, people, buildings / rooms or other information providers) that are required to operate the processes or handle the information and also assess their protection needs.
Identify risks in depth
Detailed risk assessment
A detailed risk assessment is carried out for critical assets. This includes a more in-depth analysis of possible damage scenarios, including an assessment of their likelihood of occurrence and the extent of damage in the event of an actual occurrence.
As a detailed, scenario-based risk assessment is only carried out for critical assets, it can be ensured that in each case the focus is on the relevant assets, while still pursuing a pragmatic approach.
Eliminate remaining risks
Risk management and implementation tracking
Depending on the determined risk level, individual technical and / or organisational measures must be defined in order to reduce the risk to an appropriate level (according to the defined framework for risk acceptance) or the (residual) risks can be formally carried by the person responsible for the risk.
In addition to the definition of measures, this phase also deals in particular with the follow-up of the defined measures and their timely and effective implementation.
Risk management success factors
Common standards such as ISO 27005 or ISO 31000 as well as best practices and organization-specific circumstances play a major role in information security (InfoSec) risk management. The various risk management systems at detailed level (IT or information security) should be integrated into the overall view of company-wide risk management.
In addition to various standard requirements, InfoSec risk management must above all be able to identify the truly relevant risks from the multitude of vulnerabilities and threats. This means that appropriate (attractive from the perspective of security levels achieved) and proportionate (attractive from an economic perspective) measures must be defined and implemented for the identified risks.
The management of information security risks is a central and important building block for the operation of an effective ISMS. It is a tool for selecting, prioritizing and establishing appropriate measures in dealing with identified threats and vulnerabilities.
Our aim is to work with you to implement a pragmatic and effective method. In doing so, we rely on proven standards and best practices such as ISO 27001, ISO 27005, BSI Standard 200-3, ISO 31000 and, above all, our experience and our feel for the essentials.
Want efficient risk management?
Let us get to know you in a web meeting and talk about your situation and goals. We will show you how we have helped in similar customer situations.
Other services for the management of risks
Protect your sensitive business information according to best practices.
Find out how to protect your relevant company information in accordance with VDA ISA.
We work with you to design your company-specific ISMS for KRITIS companies, establish the necessary processes and guidelines and anchor them in the company. Request support now!
Protect your company with tailor-made business continuity management: avoid IT failures, minimize risks, secure core processes. Request support now!