How to Build Your WISP – Step 5: Performing a Risk Assessment
Now that you’ve established your Information Security Policy, assigned roles and responsibilities, developed an incident response plan, and tracked your assets, the next step in building your Written Information Security Plan (WISP) is performing a Risk Assessment. This step ensures that your security program is not just theoretical but actively protecting your business.
Why Does Risk Assessment Matter?
A Risk Assessment helps you:
Evaluate whether your security policies are being followed.
Identify gaps in compliance and their potential impact.
Develop a structured plan to address security risks.
Ensure compliance with the FTC Safeguards Rule, Gramm-Leach-Bliley Act (GLBA), and other regulations.
The Risk Assessment Process
Unlike traditional risk assessments that focus solely on external threats, this approach ensures that you are assessing your organization against your own policies. Here’s how to do it:
1. Review Your Information Security Policy
Break each policy down into simple yes/no questions.
For each policy, ask:
Are we compliant? If the answer is yes, move on.
If no, document why.
2. Identify Risks from Non-Compliance
For each non-compliant policy, determine the security risk it introduces.
Consider:
Impact: How serious would the consequences be if this policy is not followed?
Likelihood: What is the probability of this risk leading to an incident?
Residual Risk: The remaining risk after current security controls are applied. (Residual risk is what remains even after reasonable mitigation efforts have been put in place.)
3. Decide How to Address the Risk
Once risks are identified, determine the best course of action:
Mitigate: Apply security measures to reduce the risk.
Accept: If the risk is low and cannot be avoided, document the decision to accept it.
Transfer: Shift responsibility through vendor agreements or insurance.
Avoid: Change business practices to eliminate the risk entirely.
4. Document the Plan to Address the Risk
For each risk, document:
How it will be addressed (e.g., new controls, training, policy updates).
Timeframe for resolution (When will it be fully remediated?).
Temporary workarounds to enhance security while the issue is being resolved.
Integrating Risk Management into Daily Operations
A risk assessment should be a living process and not a one-time exercise. To ensure risks remain managed:
Reassess periodically: Risk assessments should be performed at least annually and whenever major changes occur.
Incorporate into leadership discussions: Ensure business decisions consider security risks.
Train employees to recognize security gaps and report concerns.
Compliance and Documentation
To comply with regulatory requirements, your risk assessment should be well-documented and include:
A list of identified risks and vulnerabilities.
Plans for addressing each risk and workarounds in place.
Review schedules and responsibilities for updates.
Wrapping Up
A Risk Assessment is more than just a checklist—it’s a way to ensure your security program is working as intended. By systematically evaluating compliance with your own policies, identifying gaps, and developing realistic plans to address them, you create a stronger, more proactive security posture.
If you need guidance on conducting a structured risk assessment, Zeus InfoSec is here to help. We provide expert insights to help businesses evaluate risks, prioritize security measures, and build an effective WISP.
In the next post, we’ll cover Establishing Rules of Behavior and Conduct—helping your employees understand their role in maintaining security.
Still not sure where to start?
Check out Protect Your Business with Our Free Cybersecurity Checklist for Small Businesses or Free Cybersecurity Essentials eBook
Until next time…
Stay Safe. Stay Secure. And Remember….
Business is hard enough. Cybersecurity doesn’t have to be!
