March 8, 2018

Last Updated on January 19, 2024

One thing many of our customers struggle with is integrating ongoing risk assessments into their cybersecurity programs.
That’s a real problem, as an optimized cybersecurity program is fully reliant on understanding risk and putting the right information security controls in place to reduce those risks to an acceptable level.  It’s even more of a problem if you are ISO 27001 certified, because risk assessment is central to your Information Security Management System (ISMS) and an area auditors focus on during your ISO 27001 certification and surveillance audits. If you fail to show ongoing risk assessment, you risk losing your certificate.

A Powerful Risk Assessment Methodology

Recently the CISO (Chief Information Security Officer) of major law firm we helped get ISO 27001 certified called me to “pick my brain” about their risk assessment process, and how he could better integrate risk assessment into their everyday thinking for both risk management and ISO 27001 reasons.
The conversation crystallized for him when I said, off the top of my head, “Think of it as a risk register where you log all of the risks you have to deal with, how significant they are, and how you will or have already addressed them.” While that response made him happy, it made me even happier, because I’d come up with a simple phrase/idea that so much more effectively communicates what risk assessment is about—a risk register.  He joked that he should charge me for our calls, which is probably right, as every time we chat I walk away from the call a little bit smarter.
So far so good with my new way of communicating our risk assessment framework and process.  I have used this risk assessment methodology recently with:

  • An insurance company building out an NY DFS 500 conforming information security program 
  • A SaaS provider to the financial services industry, which uses Pivot Point as their vCISO 
  • A public transportation firm dealing with a highly diverse set of risks 

In each case I got the same “A-ha!” reaction.
I’m excited that a simple turn of phrase seems to be communicating such an important concept in a much more effective way.
Now go update your risk register! 
For assistance with risk assessments, ISO 27001 certification audits, and more, contact Pivot Point.