Whatever the reference you might use (ISO27001, NIST CybersecurityFramework,the Australian ISMF, the german IT Grundschutz,…), all information security framework has risk management as its core.
Some people think of risk management as a painful and lenghty process used to justify security expanses or to achieve compliance with a standard. It can be just that.
But, first of all, it is a decision tool. A risk assessment is the tool used by senior managers to decide wether or not they should invest (additional) money in (more) security controls and in which one. For this reason, the identified risks must be credible, realistic and their likelihood (or frequency) and impact as accurate as possible. A bad assessment will likely lead to an unwanted level of residual risk.
Taking the time to clearly and concretely explain the risk scenario is an important task as senior managers are often lacking the technical knowledge to understand all the extent of the risks on their business. And this is normal, this is the risk managers or security officers’ job to translate these risks for the board.
I’m working for some time on a modelization of the information security governance processes in order to show the need to integrate all the available data. There is already a few models available but I try to create one that shows clearly the need to include information from a lot of sources in order to have a sound and efficient security management process. Here is a first draft of the integration of the risk management process in the software/system/solution developpment lifecycle.
Any feedback will be welcome. Information security governance is a complex process, any suggestion to improve it will be taken into account and shared with the community.