The first five steps to developing your information risk strategy

By: In: Data Privacy & Protection On: Mar 18, 2014
The first five steps to developing your information risk strategy

Introducing Alan Elwood, Director Risk and Resilience Ltd.

When it comes to managing information, it’s easy to fall into the trap of thinking that once the audit is over, the job is done. In fact, the audit is just the start. Looking beyond the auditor’s expectations will help you start to align information management with your business goals and potential vulnerabilities.

Here’s an outline of the first five steps to building an information risk strategy.

  1. Define the strategic aims and objectives of your business. What is your business there for? What are your key products and services your clients rely on? What do you have to maintain no matter what happens? What are your clients expectations if things go wrong? What are your legal obligations?
  2. Determine the critical activities that must be recovered no matter what. Decide how quickly you need to recover them and the level of service to be maintained. These concerns are different for different businesses. For example, a university could decide that exams are essential to its business, and must be recovered inside a week; a bank may only have a matter of minutes or hours to get its critical activities operating.
  3. Decide what resources are essential. This is when information comes in. Think of information as a critical resource. Systems, process and even people are of limited use if they don’t have access to accurate, timely and verified information. Understand the information requirements of your business. Accurately establish the Recovery Point Objective (RPO) for each critical activity. The RPO defines the level of information that must be accessible in a set time period for a critical activity to be considered resumed.
  4. Identify your vulnerabilities so that you can address them. Is your information in hard copy alone, is it in legacy applications, is it easily returned onto servers from back ups and is it going to take more effort to restore from any manual workarounds adopted? This point is not just to appraise the risks connected to losing information. It’s about looking at the bigger picture and planning for how you will get hold of the information needed to get up and running after a catastrophe.
  5. Implement mitigation measures. These will address the risks to your information but in many cases residual risks will remain. This is when Business Continuity Management approaches can be employed. Build contingency plans to cater for the residual risks should they occur. Ensure vital information is retrievable through back up and access strategies, including being able to get hold of information in a crisis, in time, that is held securely at offsite storage. Your strategy should take into account how quickly you can access information, the form in needs to be in and to what level you need it.

Alan Elwood is a highly experienced, award winning resilience professional with particular expertise in Crisis and Business Continuity Management. He is a seasoned practitioner and has worked with a range of organisations from blue chip multinationals to SME family owned businesses. Alan has advised clients in the aviation, aerospace, manufacturing, charity, food, public, construction, media, utilities, energy and banking sectors. He has guided multiple organisations to BS 25999 and ISO 22301 accreditation, including one of the first companies in Ireland to achieve ISO 22301. Alan holds an MSc in Management from Cranfield University and is a member of the Emergency Planning Society, the Business Continuity Institute and the Institute of Civil Protection and Emergency Management.

He’ll be speaking at the Information at Risk event on 10 April in Belfast

Attend Information at Risk

← Why finding the right vendor for secure IT asset disposal is so important Information at Risk: expert insight in Belfast →

Leave A Comment

About the author

Christian Toon

Christian Toon is a former Iron Mountain employee who now works closely with our business within his new role: Senior Cyber Security Expert at PwC UK. Christian's thought leadership in this space is well-acknowledged across the industry. Christian has obtained numerous industry specific and recognised qualifications, he is a qualified Prince2 Practitioner and ISO IEC 27001:2005 Lead Auditor as well as holding auditing qualifications with ISO 9001, ISO 18001 and 14001. Christian has also completed all the Information Assurance Levels from the National School of Government. Christian's application to the Institute of Information Security Professionals (IISP) is currently under review along with a potential application to further his development with an Masters in Information Security.