Writing good ad-hoc security assessments – Part 2

By | 5th October 2018

Following on from part 1 of this blog series, in this second blog post in my series, I’m asking the question “what should a good ad-hoc risk/impact assessment look like?”

Good ad-hoc risk/impact assessments focus on essential content in a way that addresses risk management requirements. Ideally an ad-hoc risk assessment should be around 4-5 pages long not including top-and-tail corporate pages and content, but can be shorter, even down to a single page if needed.

Content should cover the following themes, drawn from ISO/IEC 27005:

  • Project related data and identity of the assessor
  • Version control history and formal sign off
  • Introduction
    • Including the (residual) risk tolerance of stakeholders or accreditor
  • A description of the issue or change at hand
  • An extended discussion of security-relevant aspects
  • A risk assessment and treatment
  • Description of any new controls required
  • Supplementary notes
  • Broader impact, e.g. on security documentation (e.g. update to global control list), notification to other teams
  • Summary
  • Appendix (not essential, but if technical data needs to be presented/graphs/etc.)
  • List of references (e.g. other security/assurance documentation)

Of the above topics, the most critical elements are the risk assessment and treatment, documenting any new controls, and broader impact sections.

Some of these steps should be simplified, to ensure the assessment can be completed at pace and to have immediate value.

A pitfall in ad-hoc assessment is the potential for new controls to go untracked in larger enterprise control sets. In other words, introducing new controls in the ad-hoc assessment that are not monitored or reviewed – they serve their purpose at the ad-hoc level, but the potential for them to be tracked at enterprise level is completely overlooked. This is not getting good value out of the process.

It’s really important to make that happen, ensuring controls are picked up and adopted at enterprise level if required. It’s a quick win that saves time at enterprise or business unit level.

Similarly, it’s also important that enterprise risk assessments are updated with any findings from ad-hoc assessments. Ideally, ensure both types of assessments are stored within an ISMS and manage them through that lens.

Ideally a template should be developed that captures the above content and be continuously updated to the unique requirements of the organisation. For instance, managed through PDCA review in an ISMS.

In part 3 I’ll be taking a closer look at how ad-hoc risk assessment and treatment can be carried out quickly and easily.