Enterprise Risk Register®: Information Security Management
Risk Assessment Software for ISO 27001 / ISO 17799 / ISO 27005

Enterprise Risk Register® combines good information and ease-to-use
to get maximum benefit out of your risk management efforts.

Enterprise Risk Register® risk management software: Information Center

	Your Selection:
	Download your information material and register for your product guide

Enterprise Risk Register® risk management software

	Click to request your product guide with lots of screenshots of Enterprise Risk Register® risk management software.
	Click to download a product brochure of Enterprise Risk Register® risk management software.
	Click to download a product presentation of Enterprise Risk Register® risk management software.
	Click to view an online product presentation of Enterprise Risk Register® risk management software.

Information Security Management and Risk Management

Information and information processing is one of the most critical success factors within all organisations. Accordingly, information security and its management is of major importance in order to protect this precious asset. The protection of information and information processing needs to ask about future threats: IT security risks. An effective and efficient risk management system is a necessary condition for successful IT security management. Standards like ISO 27001 / ISO 17799 / ISO 27005 require risk assessment and risk management as part of an Information Security Management System (ISMS). Further standards such as BS 7799-3 outline an information security risk management system. A systematic risk management approach shall be used to identify and assess risks and according treatments. Risk management software can facilitate the efforts of risk management. Enterprise Risk Register® is such risk management solution that can be used within IT security.

The Risk Management Process within Information Security Management

Risk management in IT Security does not formally distinguish from any other operational risk management. Quite often the PDCA-Approach (Plan-Do-Check-Act) is boroughed from quality management in order to visualise the basic steps of information security risk management. The following overview briefly outlines the basic steps in IT security risk management:

It is very important to understand the continuous process in risk management. The risk review is about re-thinking existing risks and their assessment as well as about new risks. The following table provides additional information on the risk management process steps:

Establishing the Basis	Inventory of information and information processing
Risk Identification	- Threat Identification (What is threatening?) - Vulnerability Identification (What is the weakness?) - Control Analysis (What controls are in place?)
Risk Assessment	- Likelihood (Estimating the likelihood) - Impact (What are the consequences?)
Treatment Identification	- Cost-Benefit Analysis - Decision for Treatments
Monitoring	- Risk Review - Treatment Monitoring
Risk Communication	Risk Reports, Risk Charts, Risk Dashboard

Risk Identification in Information Security Management

Risk Identification in information security management consists of three major steps:

Identification of assets: an asset is any item, material (resource) or non-material (process) that has a value for an organisation. The value of an asset is not necessarily monetary. E.g. a process does not have a monetary value in the balance sheet, but a broken process can cause a high loss of revenue;
Identification of threats: a threat is simply everything that reduces the value of the assets. Threats can have a natural origin (water, fire, etc.) or are human actions;
Identification of vulnerabilities: The must be a vulnerability present to an asset, otherwise the threat could not damage the asset. Mostly risk treatments will taken to remove the vulnerability of an asset because it often is not possible to remove the threat;

Risk Assessment in Information Security Management

In order to conduct a risk assessment we need to have clearly identified risks. Two questions need to be asked to learn about the risk:

What are the consequences of a risk occurring?
What is the likelihood that a risk will occur?

The results of risk assessments allow to rate risks and prioritise them in order to decide which risks are treated first.

Risk Treatments in Information Security Management

The basic rule for risk treatments is that they must have a return-on-investment higher than one. In other words: the benefits from the treatments must be higher than their costs. Risk treatments can be categorised as follows:

Risk removal;
Risk avoidance;
Risk transfer to a third party or an insurance company;
Action that reduce the consequence and/or likelihood of a risk;
Risk Acceptance;

Benefiting from implementing Enterprise Risk Register® risk management software

Enterprise Risk Register® is a web-enabled multi-user Microsoft .NET application using SQL Server relational database supporting hundreds of decision makers across the enterprise.

Enterprise Risk Register® assists the user to collect all data used to successfully run a risk management system. The software enables the user to store all relevant data in risk management, assists in risk analysis, keeps the history, helps monitoring risks, and makes all data available for reporting on risks.

Enterprise Risk Register® is risk management software package to manage general organisational risks related to people, property, reputation, assets and the environment. This includes information security risk management, but is not limited to it. Enterprise Risk Register® supports the major risk management standards including ISO 17799 / ISO 27001 / ISO 27005.

Enterprise Risk Register® is a very effective risk management software because it ...

helps reducing information security risks and decreasing the cost of risk treatment;
keeps track of who "owns" the risk, or risk treatment;
monitors risks by context - department, division, location, project, process, asset or risk category;
evaluates cost and effectiveness of each risk treatment;
is an invaluable management tool for the return is many times higher than the cost of the investment;
produces documentary evidence for courts or regulators regarding treatments undertaken.

In brief: Enterprise Risk Register® helps you to comply with ISO 17799 / ISO 27001 / ISO 27005.

Enterprise Risk Register®: Features that assist in information security risk management

Using Enterprise Risk Register® improves information security risk management efforts because:

information security risk management becomes consistent with enterprise risk management;
administrative work is significantly facilitated;
it speeds up the risk management process;
a risk history allows to trace back;
alerts are initiated when risk reviews or treatments are overdue.
the information security risk status is displayed in a dashboard and lots of charts;

Enterprise Risk Register®: Information Security ManagementRisk Assessment Software for ISO 27001 / ISO 17799 / ISO 27005

Enterprise Risk Register® combines good information and ease-to-useto get maximum benefit out of your risk management efforts.