Information Security Threat & Risk Assessment

Services clients purchase before

Application Secure Coding Guidelines

Services clients purchase after

Information Security Policies

The Art of Information Risk Assessment
Factory Fact

1/3 of all breaches are associated with authorised users

Need some help?

Speak to the Risk Factory Foreman, and he'll tell you everything you need to know.

Call us on 0800 978 8139

Quote details

What is it?

An Information Security Threat & Risk Assessment is the process to define, locate and categorise the information assets associated with your business, determine the security threats and vulnerabilities associated with those assets, and to mitigate those threats in line with your business goals. A good threat & risk assessment should answer the following questions:

  • What do I need to protect and where is it located?
  • What is the value of this information to the business?
  • What are the vulnerabilities associated with the systems processing or storing this information?
  • What are the security threats to these systems and the probability of their occurrence?
  • What would be the damage to the business if this information were compromised?
  • What should be done to minimise and manage the risk?

Why should I do it?

It’s the first and most crucial step in information security risk management. It identifies exactly what your business needs to protect, where it’s located and why you need to protect it in real cost impact terms that everyone should understand.

All things originate from conducting this assessment. If you are security testing your systems and have not conducted a threat assessment, you are wasting your time and money as the objective of any security testing should be access to information that you are trying to protect.

The outcome provides clear security objectives for your architecture, policies, procedures, employees, testing, incident response and business continuity planning and should serve as your yard-stick for budgeting.

If that’s not reason enough, conducting Information Security Threat & Risk Assessments is internationally recognised best practice and required for compliance to virtually all governance risk and compliance frameworks.

How often should I do it?

An Information Security Threat & Risk Assessment should be conducted at least annually or after any significant change to your systems (e.g. move to a cloud platform) or business processes.

What will Risk Factory do?

  • Provide an information asset register for your completion by your business stakeholders.
  • Confirm your business-specific information assets  location and value.
  • Conduct a network security vulnerability scan of your systems.
  • Identify and quantify security threats to your business information assets.

What will I receive?

  • An information security threat and risk assessment based on ISO established principles and best practice.
  • A list of your business information assets forming an information asset register.
  • A comprehensive report detailing prioritised remedial actions for mitigating the threats to your information assets. To see a sample report just contact our Risk Factory Foreman.
  • A certificate of validation for evidence of compliance.

Is there anything I need to do in advance?

You’ll need to supply the name and number of exterior-facing Internet Protocol (IP) addresses associated with your systems for us to use in conducting the technical security vulnerability assessment. If you don’t know these, don’t panic our Factory Foreman can help you.