Preparing for a Risk Assessment
When your organization is deciding to go forward with a risk assessment, it isn’t enough to just jump into the conference room and start writing on the whiteboard. It is always best to take a little time to prepare for an assessment before you dive in. First, you want to identify the purpose of the assessment. Why are we setting forward to do this particular risk assessment at this particular time? And we want to look at the scope. Is this risk assessment organizationally, or are we going to focus IT or are we going to look at say, for example, the sales process or the service delivery process to assess risk? We want to identity any core assumptions we have about the environment and any constraints that would keep us from a good and solid risk assessment within our space. And we want to identify our authoritative sources of information both inside and outside the company, whether that’s our standard whether that’s NIST 800-30 or whether that’s ISO 27005 or whether that’s our internal sources of data. Where are authoritative sources for inventory, for personnel and descriptions of processes. We also want to identify our risk model and the analytic approach to the employed in doing risk. How are we going to do this and what common definitions are we going to use, and should I tell my employees how to do this before we walk in the door, or should we train them as we go? The core approach will drive all of your risk assessment going forward, so taking time to get that right will pay benefits in the long run.