ISMS – simply explained Part 2: Risk management as an essential part of the ISMS

Risk management takes a look into the future of your company and is a good tool for uncovering possible information security risks and backing them up with measures. It should be noted that never all eventualities can be mapped, the best example of this is the corona pandemic. Risk management consists of risk identification, analysis, assessment, treatment and continuous monitoring.

Every company strives for market success by means of its business objectives, while the opportunities and risks must be weighed up. Due to legal and regulatory requirements, it is necessary to establish and maintain an effective risk management system as a core element of corporate management. A uniform procedure is necessary for this, which is defined as part of risk management.

The entire risk management process must be documented within the framework of a guideline or accordingly in the ISMS and is based on the scope of the ISMS. It is also important to define the roles and those responsible. A risk manager should be appointed to control the risk management. The information security officer (ISB) can also do this. The risk manager controls the risk management and keeps an eye on the risks. We recommend an extensive annual risk review. The risk owner is responsible for assessing and handling the risks assigned to him. Employees outside of IT should also recognize and report threats, if this is possible within their framework. Ideally, risk management is a lived process in the company that involves every employee.

Risk management is an important instrument for recognizing possible information security risks for your company in good time and being able to react appropriately in order to guarantee the required availability, integrity and confidentiality of company information.

• Determination of your information-relevant threats,
• Identification and evaluation of your weak points,
• Determination of your information-relevant company values ​​(assets) and their owners,
• Evaluation of risks according to comprehensible criteria,
• Setting up measures to reduce your risks,
• Decision-making on the priority of your risk treatment and your implementation of measures on the basis of the proposed measures and
• Documentation and communication of your relevant risks.

The selection of the risk management method determines how the risks are dealt with. One possible approach is e.g. the BSI standard 200-3. When choosing the method, any special legal, contractual or other relevant requirements for your company should be considered in advance. For example, banks and the financial sector have special requirements for risk management (keyword: BaFin, MaRisk). The choice of method depends on the level of requirements. Another efficient method is described in the current ISO / IEC 27005: 2018. As part of this, the inventory of the values ​​is determined with the help of the structural analysis and shows the assets relevant for the business processes and their interdependencies. This method is useful, for example, if a configuration management database (CMDB) is already in use in the company. We would be happy to advise you on the selection of the most suitable risk management method for your company.

The purpose of risk identification is the systematic recording of all risks relevant to your company. We will be happy to work with you to identify your risks as part of the development of your ISMS or for a possible ISO: 27001 / TISAX certification and carry out the entire risk management process through to sensitizing all your employees.

As part of the risk identification, the first step is to record all assets and combine them into groups of equal value (asset classes). An asset describes a value of a company, such as a laptop. Possible asset classes here are e.g. “Laptops and Smartphones Employees” and “Laptops and Smartphones Managing Directors” into consideration. In this example, two asset classes should be created for the asset laptop, since both asset classes are associated with different threats and therefore different information security risks are affected. This means that an asset class has the same vulnerabilities and thus the same threats.

The following information security risks should be considered in the context of the asset classes.
It is about the loss of …:

• Confidentiality: The property that information is not made available or disclosed to unauthorized persons, units or processes.
  Availability: property of a value, of a unit being accessible and usable on request.
  Integrity: Property of ensuring the correctness and completeness of values. In particular, this includes the property that information is not changed without authorization.
• All assets or asset classes should be recorded in full.
• Tools for the software-supported implementation of risk management
• In principle, Excel lists can be used to inventory the values. However, the larger the company, the more difficult it can be to record all assets with the help of an Excel list. In addition, continuous checking and updating is urgently required.

We therefore recommend a software-based solution that automatically takes over the acquisition and also offers the possibility of visualizing the relationships between the assets. The market offers various options for this. We would be happy to advise you on choosing the right software tool for you.

After the assets have been fully recorded and the risk owner has been determined, the task is to examine the individual assets or asset classes with regard to their hazards, to evaluate them and to store and handle them with measures.

When showing the risks of the individual assets / asset classes, you can, for example, fall back on existing risk or hazard catalogs, such as the elementary threats from the basic IT protection of the BSI.

The risk assessment enables the identified risks to be weighted and assessed depending on the probability of occurrence and the amount of damage. The subsequent classification of the risk into the corresponding risk class low, medium, high or very high forms the conclusion of the risk assessment.

Risks should be treated appropriately according to their assessment. An approach that has proven itself in our experience is to include it in a risk treatment plan. This serves to compare the corresponding measures. There are basically four different types of risk treatment:

• Risk avoidance,
• Risk reduction,
• Risk transfer and
• Risk acceptance

For the above-mentioned asset class “laptops and smartphones employees”, for example, malware can be identified as a threat that affects the information security risk of integrity. One possible measure to reduce this is a centrally managed antivirus solution. This allows the risk class to be reduced to low.

In addition to the assessed risk and the measure, the risk owner as well as a date for the implementation and possibly also a status should be included in the risk treatment plan.

Efficient risk management requires sensible handling of risks and regular reviews. For this purpose, the risk management process presented here should be introduced and established. In addition to the risk awareness of management and all employees, an essential component of success for risk analysis and assessment is the implementation of internal and external audits to record and take into account all eventualities.

We would be happy to support and advise you on the introduction and establishment of a risk management system. We also offer training to sensitize your employees. Our certified IT specialists are happy to be there for you. Simply fill out our contact form or write an email to info@aigner-business-solutions.com. We can also be reached by phone at 08505 – 91927-0.