A risk assessment is essential in forming a clearer picture of how external and internal threats could impact on your organisation, how severe and how likely those threats are and how well your organisation is already prepared.

There are many process possibilities for conducting a risk assessment, but a good starting point for directors is the NIST’s guidance in SP 800-30. The Institute identifies nine stages of the information risk assessment process, starting with a review of the existing or proposed system and ending with a commitment to monitor the system on an ongoing basis.

System characterisation

By defining the scope of the risk management process, directors and IT personnel can understand the boundaries ...

Get Managing Information Risk: A Director's Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.