How much Risk Assessment is needed?

In many of the InfoSec forums I subscribe to people regularly as  the “How long is a piece of string” question:

How extensive a risk assessment is required?

It’s a perfectly valid question we all have faced, along with the “where do I begin” class of questions.

The ISO-27001 standard lays down some necessities, such as your asset register, but it doesn’t tell you the detail necessary. You can choose to say “desktop PCs” as a class without addressing each one, or even addressing the different model. You can say “data centre” without having to enumerate every single component therein.

At first.

I think of this as being like a railroad or using a vacuum cleaner.
You don’t install all of the railroad in one go before using it; it grows over the years. You don’t vacuum all of the house at the same time, you work though rooms dealing with each according to your reach, and then move forward.

Read that again:

“… you work though them dealing with each according to your reach, and then move forward.”

An implicit part of all the ISO stuff is “continuous improvement”.
Hey, leave something to do next year, why don’t you?

The  IT people use use many applications. Do I  really need to drill down
for the risk related to functionality of the application or just need to identify
the risk and threads for access to information in the applicastions.

Most of us are from a technical background so we focus on the technology first, but sometimes this is not the most effective way to work. And older and wiser auditor once told me to identify the people who were the – I use the modern term, she didn’t – business process owners. They know what is critical for them and they know, or should know if they are
doing their jobs properly, the high profile risks.

Regardless of whether those risks are the ones you, as a technology person, would have identified, they are the ones you should address first, because you have to prove your credibility and effectiveness to these people. If you fail in that there won’t be a next year and you won’t be able to do the continuous improvement bit and get around to what *you* think is important.

My School motto was “A minimis incipe“. Literally translated it means “From small beginnings“. I’ve seen other wordings and those are applicable here.

  • Take small mouthfuls
  • First, hold her hand
  • Every journey begins with the first step

I’m sure you can find similar sentiments in religious and philosophical classics.

The important point is this:

Don’t expect to do it all the first time

  •  Do what analysis you can
  • Deal with the obvious first
  • Install the controls and monitor the results
  • Provide feedback

If that sounds like the Deming cycle – Plan-Do_Check-Act then yes, that what this is about.

English: The Risk Management Process for IT Sy...
The Risk Management Process for IT Systems according to ENISA, following ISO 27005
Enhanced by Zemanta

About the author

Security Evangelist


  1. Hi Anton. “Hey, leave something to do next year, why don’t you?” hints at the possibility of deliberately taking a business rather than infosec view. What can we afford to live with, for now? In what areas are we on safe enough ground to take a chance? How lucky do we feel today?

    It’s a question of risk aversion vs entrepreneurial perspectives. Appreciating both sides of the coin enables both parties to appreciate the issue at hand more realistically, I reckon.


Leave a Reply