Information security risk analysis is the point where every sensible security programme begins. It is what answers the question of where to spend money first. Without it, a company buys tools driven by fear or by a salesperson’s presentation, instead of by real risk. Below is the way I run this analysis in SMEs.
Why analyse risk at all
The goal is not to build a thick document, but to make better decisions. A good analysis says clearly: these three things threaten you the most, so that is where we start.
- ISO 27001 requires it and, in practice, so does NIS2.
- It orders your spending: the biggest risk first, at a reasonable cost.
- It gives you an argument in conversations with the board, because it shows consequences, not just technology.
The worst risk analysis is one that was created once, for a certificate, and never influenced a single decision. I see them regularly. A nice file, zero impact on reality.
Step 1: inventory your assets
You cannot protect something you do not know about. Start with a list of information assets, but do not drown in detail.
- Data: customer databases, HR data, documentation, special categories of data.
- Systems: email, line-of-business systems, the website, infrastructure.
- Critical processes: sales, production, customer service.
For each asset, assess how important its confidentiality, integrity and availability are. This helps you later tell the truly important things apart from the rest.
Step 2: identify threats and vulnerabilities
For each significant asset, note what bad thing can happen and what makes it possible.
- Threats: ransomware, phishing, hardware failure, employee error, theft, a leak at a supplier.
- Vulnerabilities: no MFA, no restore testing of backups, outdated systems, excessive privileges.
Do not multiply scenarios endlessly
The temptation to list hundreds of combinations is strong. Focus on scenarios that are realistic for your company and industry. A short list of relevant threats is better than an encyclopedia no one will read.
Step 3: estimate risk with a consistent method
We estimate risk as a combination of likelihood and impact. For an SME, a simple scale is perfectly sufficient, for example from 1 to 5 for each dimension.
- Assess the likelihood of occurrence.
- Assess the impact: financial, legal, reputational, operational.
- Calculate the risk level, for example as the product of the two scores.
- Set an acceptability threshold above which you have to act.
The most important thing is to use the same method for all risks. Consistency matters more than the false precision of complicated formulas.
Step 4: plan how to treat the risk
For each risk above the threshold, choose how to treat it. There are four classic options.
- Reduction: implementing safeguards, for example MFA, EDR, ransomware-resistant backups.
- Transfer: insurance or passing part of the risk to a supplier.
- Avoidance: giving up a risky activity or technology.
- Acceptance: a conscious agreement to bear the risk, if the cost of defence outweighs the benefit.
The result is a risk treatment plan: what we do, who is responsible, by when and for how much money. It is this document that changes a company.
Step 5: keep the analysis alive over time
Risk changes along with the company, technology and threats. An analysis from two years ago describes a company that no longer exists.
- Review the analysis periodically, for example once a year.
- Update it after significant changes: a new system, a new location, a new supplier.
- Return to it after every incident, because an incident is a free lesson about real risk.
The most common mistakes
- An analysis detached from decisions, that is, paper for paper’s sake.
- A focus on technology that ignores business consequences.
- Too fine a scale, which creates an illusion of precision.
- No owner, so the document quickly goes stale.
Summary
A good risk analysis is simple, consistent and leads to concrete decisions. It should show the board where it hurts most and direct money there first. Everything else, including compliance with ISO 27001 and NIS2, follows naturally.
If you want to run a risk analysis that sets your priorities, take a look at our risk analysis service. And when you first need hard data on the state of your safeguards, a good start is a cybersecurity audit.