Collaborate Disseminate
If organisations are to adequately protect their sensitive data, they need to understand the three core components of information security: threat, vulnerability and risk. Those unfamiliar with the technicalities of information security might assume th… Continue reading Information security vulnerability vs threat vs risk: What are the differences?
One of the most important steps when conducting an ISO 27001 risk assessment is to select risk owners to manage specific threats and vulnerabilities. Choosing the right person is crucial, because not only should the owner of each risk be someone for wh… Continue reading How to get multiple risk owners contributing to a risk assessment
An ISO 27001 risk assessment should have five key steps. In this blog, we look at the second step in the process: identifying the risks that organisations face. How to identify threats You must determine which can compromise the confidentiality, integr… Continue reading Top 10 risks to include in an information security risk assessment
The risk treatment plan is one of the mandatory documents that must be produced as part of a certified ISO 27001 ISMS (information security management system). It provides a summary of each of the identified risks, the responses that have been designed… Continue reading How to produce a risk treatment plan
Whether you’re addressing cyber security on your own, following ISO 27001 or using the guidance outlined in the GDPR (General Data Protection Regulation), the process begins by assessing the risks you face. You might have a broad idea of what a r… Continue reading Risk terminology: Understanding assets, threats and vulnerabilities
A data flow map is a diagram that shows how sensitive information moves between one part of your organisation and another. For example, you might collect user information through a survey, which is then funnelled into a database used by your marketing … Continue reading GDPR data mapping tutorial: tips, tricks and techniques
The latest iteration of ISO 27001 introduced the concept of risk owners in addition to asset owners. This strengthened the Standard’s stance that organisations must appoint people to take accountability for specific aspects of information securit… Continue reading ISO 27001: What’s the difference between a risk owner and an asset owner?
Clause 4.2 of ISO 27001 details the needs and expectations of interested parties. An interested party is essentially a stakeholder – an individual or a group of people affected by your organisation’s information security activities. To iden… Continue reading ISO 27001: Understanding the needs and expectations of interested parties
ISO 27001 is designed to help organisations identify the right approach to take when managing risks. You can’t apply defences to every threat you face, because that would be impractical and prohibitively expensive, so you need to determine when m… Continue reading How to choose the right strategy for ISO 27001 risk management
Clause 6 of ISO 27001 is one of the most important aspects for compliance, as it covers the actions you must take to address information security risks. Everything else you do to meet the Standard’s requirements informs or revolves around the ste… Continue reading Managing risks according to Clause 6 of ISO 27001