NOWECO Management Software

Information Security Management / ISO 27001
with Enterprise Risk Manager™

Information Security Management and Risk Management

Information and information processing is one of the most critical success factors within all organisations. Accordingly, information security and its management is of major importance in order to protect this precious asset. The protection of information and information processing includes to ask about future threats: IT security risks.

An effective and efficient risk management system is basic for successful IT security management. Standards like ISO 27000-series require risk assessment and risk management as part of an Information Security Management System (ISMS). A systematic risk management approach shall be used to identify and assess risks and prepare treatments. Enterprise Risk Manager™ can facilitate the efforts of risk management.

The Risk Management Process within ISMS

Risk management in IT Security does not formally distinguish from any other operational risk management. The PDCA-Approach (Plan-Do-Check-Act) also known from quality management visualises the main steps of information security risk management:


Continuous IT Risk Management

It is very important to understand the continuous process in risk management. The risk review is about re-thinking existing risks and their assessment as well as about new risks. The following table provides additional information on the risk management process steps:

Establishing the Basis Inventory of information and information processing
Risk Identification - Threat Identification
- Vulnerability Identification
- Control Analysis
Risk Assessment - Likelihood
- Impact/Consequences
Treatment Identification - Cost-Benefit Analysis
- Decision for Treatments
Monitoring - Risk Review
- Treatment Monitoring
Risk Communication Risk Reports, Risk Charts, Risk Dashboard

Risk Identification in Information Security Management

Risk Identification in information security management consists of three major steps:

1. The identification ot assets
2. The identification of threats
3. The identification of vulnerabilities

  • Identification of assets: an asset is any item, material (resource) or non-material (process) that has a value for an organisation. The value of an asset is not necessarily monetary. E.g. a process does not have a monetary value in the balance sheet, but a broken process can cause a high loss of revenue.
  • Identification of threats: a threat is simply everything that reduces the value of the assets. Threats can have a natural origin (water, fire, etc.) or are human actions.
  • Identification of vulnerabilities: The must be a vulnerability present to an asset, otherwise the threat could not damage the asset. Mostly risk treatments will taken to remove the vulnerability of an asset because it often is not possible to remove the threat.

Risk Assessment in Information Security Management

In order to conduct a risk assessment we need to have clearly identified risks. Two questions need to be asked to learn about the risk:

  • What are the consequences of a risk occurring?
  • What is the likelihood that a risk will occur?

The results of risk assessments allow to rate risks and prioritise them in order to decide which risks are treated first.

Treatment Identification in Information Security Management

The basic rule for risk treatments is that they must have a return-on-investment higher than one. In other words: the benefits from the treatments must be higher than their costs. Risk treatments can be categorised as follows:

  • Risk removal
  • Risk avoidance
  • Risk transfer to a third party or an insurance company
  • Action that reduce the consequence and/or likelihood of a risk
  • Risk Acceptance.

Technical Description

Enterprise Risk Manager™ is a web-enabled multi-user Microsoft .NET application using SQL Server relational database supporting hundreds of decision makers across the enterprise. It includes Microsoft Windows single sign-on authentication, role based security for risk management in context, international dates and currencies, and translatability to any other language.

Enterprise Risk Manager™ is a product within Incom’s overall software suite known as INCOM®, and may be integrated with:

  • Enterprise Incident Manager™ to manage workplace injury and other incidents.
  • Compliance Manager to respond to the multitude of laws and regulations.
  • Control Self Assessments to validate processes and systems.

All software has the same look and feel.

Benefits of Enterprise Risk Manager™

Enterprise Risk Manager™ is a very effective risk management software because it ...

  • helps reducing information security risks and decreasing the cost of risk treatment
  • keeps track of who "owns" the risk, or risk treatment
  • monitors risks by context - department, division, location, project, process, asset or risk category
  • evaluates cost and effectiveness of each risk treatment
  • produces documentary evidence for courts or regulators regarding treatments undertaken
  • speeds up the risk management process and facilitates administrative work significantly

Further information and DEMO

Enterprise Risk Manager PresentationClick to read more about Enterprise Risk Manager.

Enterprise Risk Manager Email RequestClick to request your presentation of Enterprise Risk Manager.

Enterprise Risk Manager DownloadClick to download a product brochure of Enterprise Risk Manager.