Advisory Services

What is Information Risk Assessment?

Information risk assessment (a.k.a. Security Risk Assessment) is the process of identifying, estimating, and prioritizing information security risks. This provides a holistic view of the portfolio of assets, allowing managers to make informed resource allocation, tooling, and security control implementation decisions.


Objective of this assessment

Assess whether the ICT security controls in the system are working as intended
Assess the risks associated with the project
Establish a framework within which all the planned risk assessment activities will be managed, executed, and completed

Approach & Methodology

The Risk Assessment process will be based on international information security and risk management best practices. Defining the risk likelihood, risk impact, and risk categorization will follow the guidance of:

NIST 800-30r1
Guide for Conduction Risk Assessment
ISO/IEC 27001:2011
Information Technology - Security Techniques – Information security risk management
NIST 800-37r2
Risk Management Framework for Information Systems and Organization.

The proposed decision to put security controls as an appropriate response plan for a particular risk will refer to NIST 800-54r4 Security and Privacy Controls in Federal Information Systems and Organizations.


Prepare for assessment

  • Define the scope of its risk management activities
  • Establish context of risk management process


Conduct the assessment

  • The process of risk identification, risk analysis and risk evaluation


Communication and consultation

  • Assist relevant stakeholders in understanding risk
  • Understand reasons why particular actions are required


Monitoring and review

  • Assure and improve the quality and effectiveness of process of process design, implemenntation and outcomes


Recording and reporting

  • Document and report the outcome through appropriate mechanisms