NII provides Information Security Risk Management consulting services for managing and mitigating the risks to the organization. Assessing information security risks is one element of a broader set of risk management activities. Other elements include establishing a central management focal point, implementing appropriate policies and related controls, promoting awareness, and monitoring and evaluating policy and control effectiveness. Benefits of a Risk Assessment exercise

Some of the benefits of carrying out a Risk Assessment exercise are as follows:

Review Information Security Policy and Network Security Architecture and advise on and agree scope of the Information Security Management System

Agree control objectives (Statement of Applicability)

Review controls (interview, observation, inspection)

Information Security Management status report and findings

Final report with recommendations for improvement and options for implementation of ISO 27001.

Implement the recommendations to bridge the identified gaps

Identifying threats that could harm and, thus, adversely affect critical operations and assets

Estimating the likelihood that such threats will materialize based on historical information and judgment of knowledgeable individuals

Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important

Estimating for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat materializes, including recovery costs

Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls

Documenting the results and developing an action plan

As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. Regardless of the types of risk being considered, all NII risk assessments generally include the following elements