For organisations operating in today’s ever-changing cyber threat landscape, having a plan in place for managing cyber security risk is vital for building defences against cyber attacks and protecting your people, assets and information.

Before we provide you with steps for how to tackle this, let’s take a quick look at why.

Your risk management plan will provide you with many benefits.

By understanding your risk exposure, you will have the knowledge you need to direct resources to treating the highest risks. By understanding and treating risks, you may be able to prevent cyber security incidents from occurring or at least reduce the impact, which can be more cost effective than dealing with the aftermath of a cyber security incident.

A risk management plan also helps you protect the confidentiality, integrity and availability of the data your organisation holds.

In addition, as we’ve seen in media reports, cyber security incidents can damage an organisation’s reputation. Effective risk management can minimise the potential of incidents occurring and their impact, which helps to maintain the trust of stakeholders and your reputation. A well-managed response to an incident can even enhance your reputation.

Key steps for building a risk management plan

The AARNet cyber security team recommends using the internationally recognised risk management standards (ISO 31000 or ISO 27005) to manage cyber security risks in your environment.

Engage stakeholders

Engage with relevant stakeholders to perform the risk assessment, including key decision makers and employees who have knowledge of the critical business processes that are required for delivering your strategic and operational objectives.

Establish context

Identify your organisation’s strategic and operational objectives and any legal or regulatory obligations. Understand the business’ risk appetite and perform the risk assessment based on the scope of the objectives identified.

Perform the risk assessment

Engage key stakeholders and identify the sources of the risk to delivering on strategic and operational objectives and consider the following:

• What could happen?
• How could it happen?
• What could it result in?
• What might be the impact?
• Why do we care?

Analyse and evaluate risks

Evaluate the identified risks in terms of their impact and likelihood, consider the existing controls and prioritize risks based on their severity. Use risk analysis techniques (e.g., qualitative and quantitative analysis) to assess risks.

Risk treatment

Determine the mitigation step (accept, treat, transfer or avoid) and develop risk mitigation strategies and action plans for each risk, ensuring residual risk exposure is within your organisation’s risk appetite. Implement security controls and measures to reduce risks.

Monitor and review

Regularly monitor and review risk mitigation activities to ensure that they are on track and communicate delays to stakeholders when they occur. All risks should be reviewed at least annually, with the higher risks reviewed more frequently to ensure active steps are taken to treat the risk.

Record and report

Document the entire risk management process and outcomes. Ensure that the risks that have been accepted have been done so by person of the appropriate authority. Ensure that all risks have treatments are assigned and are communicated to the relevant person(s). Ensure that the ownership of risks and treatments is documented and communicated, and the accountabilities and responsibilities are understood. Report risk assessment results to internal and external stakeholders.

By following these steps, you can create a plan to effectively manage your cyber risk, build cyber resilience and help to protect your organisation from cyber threats.