ISO 27001 and other security frameworks generally mandate, in one form or another, a risk treatment plan. Let’s take a look at the three biggest reasons why the experts think a risk treatment plan is so important.
1. Your Business Activity Always Introduces New Risks
Especially these days with accelerated application development (i.e., DevOps), lines of business are rolling out all kinds of applications and technology initiatives that access sensitive data in back-end systems—often without systematically analyzing the new risk exposure this creates.
Once an application is “out there” in the hands of users, risk treatment options are fewer and more expensive than if risk is addressed from the outset. Security teams (or whoever is focused on security) need to work closely with business groups to analyze and plan to treat risk starting when new systems are being designed.
How sensitive is the data being accessed? How grave are the business impacts of its exfiltration or loss? Which of the four possible risk treatment options (avoid the risk, transfer the risk to a third-party, accept the risk or mitigate the risk with controls) are viable, and in what timeframe? Questions like these are the basis for a risk treatment plan as ISO 27001 defines it.
2. Otherwise, You’re Flying Blind
I’ve never worked with a client that had addressed—or even identified—all their current security risks. Understanding and prioritizing your risks and documenting a plan to treat them is the essential foundation for investing time and money on security technology and processes. It’s step one when we need to directly reduce business risks in alignment with business goals.
In short, your risk treatment plan is what guides your InfoSec investments and efforts. But a risk treatment plan isn’t all about adding more controls. It’s also about showing due diligence by documenting exposures and deciding how to “treat” the exposure.
If you make a risk treatment plan and there’s a breach and subsequent legal action, at least you can show due diligence and explain your analysis process. On the other hand, if you don’t have a risk treatment plan and there’s a breach, stakeholders and regulators may well ask: “What were you thinking?!”
It’s hard to argue that “failing to plan” is anything but negligent in today’s climate of relentless cyber threats.
3. You’ll Soon Be Required to Do it Anyway
Regulations aren’t going away—these demands are increasing, and that trend will only escalate where cybersecurity is concerned. Sweeping regulations like the EU’s GDPR are already impacting many US businesses, and the global nature of business information interchange combined with mounting consumer outrage about compromised personally identifiable information (PII) makes more mandated security controls inevitable.
The sooner you start creating your risk treatment plan, the better off you’ll be when you need to answer to customers, investors and/or regulators. This is especially relevant in instances where you consciously decide and agree alongside business stakeholders to accept a risk for now (e.g., for financial reasons) and document a plan to mitigate it in the future.
To line up the support you need to begin analyzing your security risks and creating a risk treatment plan, contact Pivot Point Security.