The Risk Management Cycle
The principle of risk management is at the heart of information security. It forms part of such standards and frameworks as CObIT, ISO–27001, and NIST 800-53
Security management should follow a risk management cycle such as the one below.
- Identify & Assess: Identify the needs based on an assessment of information security risks based on:
- Risk Attitude and Awareness – “Appetite”
- Evaluation of impact and likelihood
- Define desired results in terms of
- Scope of protection
- Effort – Budget & manpower
- Allowable Residual Risk Exposure to loss remaining after other known risks have been countered, factored in, or eliminated.
- Determine appropriate Strategies and build business case
- Implement selected strategy or strategies via policies and controls
- Monitor the effectiveness of policies and controls and Report
- Review reports and evaluate the strategy
- Adjust as part of the continuous improvement cycle