It is not just a huge help for general management when company risk assessments are based on concrete business goals. Business-based risk assessments also help information security managers to prioritize what scarce resources they have.
Risk assessments must align with business goals
[fa icon="calendar'] Monday, 16 December 2019 / by Jakob Holm Hansen under information security, Risk assessments, risk treatment
Risk Assessments - What are they for?
[fa icon="calendar'] Monday, 27 June 2016 / by Jakob Holm Hansen under Risk assessments, risk treatment, Risk management
It is now considered good practice to perform risk assessments - or at very least to acknowledge that they should be done.
Unfortunately, far too often we see that businesses only conduct risk assessments in order to satisfy some sort of compliance requirement or other types of requirements (audit, contract, statute etc.). If you are lucky, you might have the resources to conduct them once per year.
Typically, you will conduct your risk assessment, speak with your organisation and then finally you submit a fancy report. And then your "project" is done. However, it would be wrong to consider the risk assessment as a project. Risk assessments should be a process. It is a process that involves feedback and continual adjustments.
The new ISO 27001 is out! How to develop a Statement of Applicability
[fa icon="calendar'] Friday, 11 October 2013 / by Jakob Holm Hansen under risk analysis, gap analysis, Information risk management, Statement of Applicability, SoA, risk treatment, controls, iso iec 27001:2013
The 2022 editions of the widely used standards for information security management, ISO 27001 and 27002 have been updated. The new versions contain a number of improvements that should be of interest to companies that lean towards ISO 27001 or comply with it.