Twice in the last month ESID Consulting has been requested to provide support and advice concerning information security risk assessments performed by other vendors. My being called to assist was due to the fact that the customer didn’t understand the final report they were given (and paid for) and for some reason they didn’t want to or didn’t feel that they could ask the company concerned to explain things to them.
On both occasions the reasons that the customer didn’t understand what they had was because the reports were full of “geek” speak and padding (with useless information and confusing flow diagrams).
The other thing I found was that these so called risk assessments were not what I would call risk assessments.
The first was called “data security risk assessment” and the other a “high level risk assessment”. Now, I suppose if you want to argue it that may well be correct in a grey / wooly sense of the term. But all they served to do was mislead the customer ! They were in fact both “Gap Analysis” assessments, not the same things.
A “proper” risk assessment is mapped against risk, threats and vulnerabilities, takes considerably longer to perform and is asset based, meaning that the organisation needs to know and understand what its assets are in the first place.
This lack of clear description leaves the customer understandably “miffed” when they are told that they need to have another more granular risk assessment done. Now, this may be just down to the language used at the time of sale, and subsequent misunderstanding by the customer. But it shouldn’t ever come to that.
A risk assessment also forms an integral part of an Information Security Management System (ISMS), which is the natural follow up to the risk assessment exercise. An ISMS is entirely risk based, covers the whole business and is integral to all business processes. It is a framework that becomes a business enabler, it drives efficiency, transparency and trust within an organisation. And it provides a framework that secures and protects your business assets and your bottom line.
All of the work performed by ESID Consulting is based on openness and transparency. All of our reports are clear and as free of jargon as possible. We will explain everything and hold your hand through the entire project. We don’t just give you the report and walk away. We very much become part of the team and provide a “shared” CISO / CSO facility for those organisations that either don’t have one or for those that do, we can share the load.
So, if you are currently looking at a risk assessment or report from another company or you are trying to implement an ISMS and you haven’t got a clue of what it means or where to start or go next then call us.
ESID Consulting Tel 0844 358 2362 or email firstname.lastname@example.org
Gary is CEO and Founder of ESID Consulting. An Insider Threat & Information Security consultancy.