Information Security

by Andy Taylor

Step 6 – Monitor the situation

Do I need to do it all again next year? The answer here is ‘probably’. Unfortunately the world does not sit still and risks come and go almost as frequently as the tides of the sea. Some risks will scarcely change over time and the review of them is little more than ensuring they are still relevant and the analysis of them in terms of the impact and likelihood is about right. There will, though, be those risks which change significantly.

Having decided on the controls to be used and implemented them, this must be recorded appropriately in the risk register and an owner identified. The owners’ job is to ensure that any course of action is fully maintained as intended and that the risk is monitored to aid management of it.

Some risks will disappear altogether – perhaps an old derelict building next door, seen as a fire risk because of the children playing in it, is pulled down and replaced with a brand new factory which is much less of a fire risk. Some other risks will appear: that new building next door is processing chemicals, which brings new potential risks of contamination, explosion and catastrophic destruction.

Even those risks that have been evident all along need to be reassessed regularly. Things change and the impact, likelihood or some other aspect of the risk may well result in a revised decision as to how to manage it. Its priority may also change, becoming more or less important in the business’s view and so getting more or less resource to manage it. Alternatively, granted the speed of technological development, there may now be a more effective way of managing the risk.

Monitoring the effectiveness of the controls used is also critical if the risk is to be mitigated appropriately. You need to assess whether you made the best choice in the first place and consider whether additional measures might improve security.