* Mileny Ferreira
Currently, companies are focused on their digital development, quickly adapting and evolving technologically. As this is happening, the number of cyber attacks and information leaks increases in the same proportion.
The organization's exposure by cyber threats, cause damage that can lead to the compromise of the business, the information of customers, partners, suppliers, operations and even the reputation and brand, which for a long time, even after the resolution of an incident, can be impaired.
It becomes a necessity to correctly perform a Risk management and carry them out with the appropriate arrangements to mitigate them, so that the organization is able to structure its business processes so that they do not suffer a drastic impact in case these risks materialize.
To assist organizations, was created ISO / IEC 27005 standard, which provides guidelines and techniques for manage information security risks. The standard gives the guidelines, but each organization must implement in the way that is most convenient, the refinement and improvement must be a result of the maturity of the Information Security Risk Management process.
ISMS Processes X IS Risk Management Process
As with all SGSI processes, the Risk Management System also adopts the model PDCA (plan, do, check and act).
- It is necessary to define: the scope, the objective, the basic criteria (assessment, impact and treatment of risk);
- Conduct risk analysis: Identify threats, vulnerabilities, impacts, existing controls and their effectiveness. With this information, the risk level is defined. The organization has the opportunity to define the deal: mitigate, accept, avoid or transfer. That done, there will be a residual risk (the one that remains, even after the controls are implemented), which the organization will have to decide the action to be taken.
- Carry out risk assessment: taking into account the existing risks, it will be necessary to prioritize actions on these, considering the impacts caused.
- Implement the risk treatment plan;
- Monitor continuously and perform a critical risk analysis;
- Maintain and improve the information security risk management process.
Advantages of implementing ISO 27005 in the organization:
- Greater investment effectiveness through risk-based prioritization and strategic alignment of security with the organization's business processes;
- Ensure the organization's board of directors / visibility of information security;
- Understanding the maturity of controls regarding information security and continuous review of controls.
Organizations used to have an internal view of cyber risk, aiming at the integrity and preservation of their own data, critical processes and information. However, the importance goes beyond maintaining your own integrity. It is an internal perspective, as well as an encompassing one, by all interested parties.
For this reason, we understand that more and more organizations are using technologies in their business environment and are concerned with rcarry out cyber risk management integrated with business strategy. Companies now have the knowledge that currently it is no longer just a technological risk for the IT sector to take responsibility and deal with, there is a need to maintain the effectiveness of the processes, since the organization will be proactively and reactively prepared to any risk that achieve it, if its risk management is well structured.
* Mileny Ferreira is GRC and Information Security Consultant at [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil. Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions.