By Joaquim Pereira on March 27, 2014
There are risks and risks. Risks related to the information security are just a few of which we will have to manage and treat daily. Other risks are the risks inherent to selection of the methodology and to the approach that we will follow to manage the information security risks.
Any expert in these matters will say that the use of an approach per process and the treatment of the risks identified, according to the levels of impact measured and their respective analysed probabilities, is the best strategy. In this approach are included a number of activities to be undertaken, in which are included the review and approval of risk criteria, or even other activities that, more or least accurate, provide the respective perspective on the risks which an organization faces, and which enable it to perform the necessary actions to manage, mitigate, minimize, treat – or any other term in use – by applying the most appropriate actions to reduce the risk to that one desired level accepted by top management.
But, how much risk will we be able to reduce? Which actions will be needed to accomplish that? How did we get here? What are the criteria to be used to define the risk criteria? These criteria were categorized? Have they been approved? These are some of the questions that allow us to realize that is not enough follow the activities of the process.
Some experts will say that we must identify the procedures that will support us throughout the process. The HOW TO DO is extremely important, and in this regard we have to agree. However, there are other questions that arise: How many procedures and which procedures? With what level of detail?
International standards are often not enlightening in relation to the HOW TO DO. Usually they respond, “according to the organization’s needs.” However, the most experienced people will easily find the approach that can transform the activities of the process, listed on ISO 27005 standard, – WHAT TO DO – in the HOW DO TO the risk management of information security.
But is the developed approach the right approach? For some risk managers and organizations can work, for others it may no longer work. However, using a recognized methodology, allows us to bridge these questions and use an approach that was studied, implemented and with proven results, ensuring the HOW TO DO in a structured and recognized way.
There are several methods of risk management available in the market. Supporting yourself in the one that better adapts to your organization tends to be the most intelligent, reasoned and structured approach, to manage information security risks in your organization, apart from still being able to be used as an evidence of using the best practices in the management and assessment of risks. And, of course, against facts, there are no arguments.