10 Steps: Information Risk Management Regime
Updated 16 January 2015
© Crown copyright 2015
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/10-steps-to-cyber-security-advice-sheets/10-steps-information-risk-management-regime--11
1. Summary
It is best practice for an organisation to apply the same degree of rigour to assessing the risks to its information assets as it would to legal, regulatory, financial or operational risk. This can be achieved by embedding an information risk management regime across the organisation, which is actively supported by the Board, senior managers and an empowered Information Assurance (IA) governance structure. Defining and communicating the organisation’s attitude and approach to risk management is crucial. Boards may wish to consider communicating their risk appetite statement and information risk management policy across the organisation to ensure that employees, contractors and suppliers are aware of the organisation’s risk management boundaries.
2. What is the risk?
Risk is an inherent part of doing business. For any organisation to operate successfully it needs to address risk and respond proportionately and appropriately to a level which is consistent with the organisation’s risk appetite. If an organisation does not identify and manage risk it can lead to business failure.
A lack of effective information risk management and governance may lead to the following:
Increased exposure to risk
Information risk must be owned at Board level. Without effective risk governance processes it is impossible for the Board to understand the risk exposure of the organisation. The Board must be confident that information risks are being managed within tolerance throughout the lifecycle of deployed systems or services
Missed business opportunities
Where risk decisions are being taken at junior level without effective governance and ownership back to senior levels, it may promote an overly cautious approach to information risk which may lead to missed business opportunities. Alternatively, an overly open approach may expose the organisation to unacceptable risks
Ineffective policy implementation
An organisation’s Board has overall ownership of the corporate security policy. Without effective risk management and governance processes the Board will not have confidence that its stated policy is being consistently applied across the business as a whole
Poor reuse of security investment
A lack of effective governance means that information risk management activities may be undertaken locally when they could be more effectively deployed at an organisational level
3. How can the risk be managed?
3.1 Establish a governance framework
A governance framework needs to be established that enables and supports a consistent and empowered approach to information risk management across the organisation, with ultimate responsibility for risk ownership residing at Board level.
3.2 Determine the organisation’s risk appetite
Agree the level of information risk the organisation is prepared to tolerate in pursuit of its business objectives and produce a risk appetite statement to help guide information risk management decisions throughout the business.
3.3 Maintain the Board’s engagement with information risk
The risks to the organisation’s information assets from a cyber attack should be a regular agenda item for Board discussion. To ensure senior ownership and oversight, the risk of cyber attack should be documented in the corporate risk register and regularly reviewed; entering into knowledge sharing partnerships with other companies and law enforcement can help you in understanding new and emerging threats that might be a risk to your own business and also to share mitigations that might work.
3.4 Produce supporting policies
An overarching corporate information risk policy needs to be created and owned by the Board to help communicate and support risk management objectives, setting out the information risk management strategy for the organisation as a whole.
3.5 Adopt a lifecycle approach to information risk management
The components of a risk can change over time so a continuous through-life process needs to be adopted to ensure security controls remain appropriate to the risk.
3.6 Apply recognised standards
Consider the application of recognised sources of security management good practice, such as the ISO/IEC 27000 series of standards, and implement physical, personnel, procedural and technical measures.
3.7 Make use of endorsed assurance schemes
Consider adopting the Cyber Essentials Scheme. It provides guidance on the basic controls that should be put in place and offers a certification process that demonstrates your commitment to cyber risk management.
3.8 Educate users and maintain their awareness
All users have a responsibility to manage the risks to the organisation’s Information and Communications Technologies (ICT) and information assets. Provide appropriate training and user education that is relevant to their role and refresh it regularly; encourage staff to participate in knowledge sharing exchanges with peers across business and Government.
3.9 Promote a risk management culture
Risk management needs to be organisation-wide, driven by corporate governance from the top down, with user participation demonstrated at every level of the business.