IT Risk Management and IT Risk Analysis

An effectively operated IT risk management keeps the company from possible damage and is, despite numerous changes in the IT landscape, able to anticipatorily identify dangers and to launch the corresponding risk encounter measures in time. Therefore, the IT risk management is a factor which shall not be underestimated within the risk management of a company.

The detailed risk assessment or a combined risk assessment

For the IT risk management you can apply various methods, for example, the foundation assessment, the information-/experience-related assessment, the detailed risk assessment or a combined risk assessment.
The WMC company applies a combined method for the risk assessment, as expressively recommended in the ISO 13335-3 standard.

This method includes the risk analysis of overriding importance:

From the viewpoint of the important business processes all concerned IT systems are identified and roughly classified in risk levels such as high, medium or low. This classification must be documented in the asset management.

The risks are not viewed from the technical perspective but from the business perspective.

Schematic executions of the IT Risk Assessment (ISO/IEC 27005)

To make it quite simple, the question is: Which IT systems do considerably contribute to the business success of your company?

For an assessment one must analyze the following topics

  • Which company target is reached with the related IT system?
  • To what grade is the business operations dependent from this system. To do so the following aspects shall be considered:
    confidentiality, integrity, availability, responsibility, authenticity, functional reliability?
  •  What were the investments made to create, maintain and develop the IT system and what investments are necessary for a replacement?
  • If applicable, which subsystems do belong to this IT system and also considerably contribute to the value of the entire system?
  • How many other IT systems are dependent from the inspected system subject to the supported business processes?
If the risk of one of listed areas is rated to be high, it requires a detailed risk analysis for this IT system. In general all systems with a medium or low rating are secured with general security measures. If in doubt, all systems with a medium rating can undergo an additional, detailed risk analysis.
The assessment of all IT systems in accordance with this procedure shall be repeated once a year. Any new systems shall be assessed during the planning/project phase.

And the detailed Risk Analysis:

Only those systems which are rated to be critical or at high risk require a detailed risk analysis. In doing so all risks and the related magnitude or their degree are identified.

Then, any unwanted event with its possible damage consequence on the business operations is judged on its probability. The probability is dependent on its attractiveness for a potential attacker, how probable are certain threats such as fire, theft, etc. and how easy it is to benefit from vulnerabilities. The results taken from this analysis will be used to determine the security measures which are used to encounter these risks in order to minimize them to an acceptable level.

For many years the WMC Consulting company has been successfully consulting customers within the IT risk management and has some well-known references.
With the QSEC-Suite we have implemented the IT risk management according to the DIN EN ISO/IEC norm as module of the QSEC-Suite as a comfortable solution for our customers. This solution is a future-oriented tool to implement and sustainably operate an ISMS, pragmatically implemented with a ‚Best Practice’ approach and to permanently save resources and costs.

Learn more about the QSEC IT-Risk Management module:

IT-Risk Management with QSEC