Cyber Risk Management

Cyber Risk Management

“Digital technologies, devices and media have brought us great benefits and offer enormous opportunities but their use also exposes us to significant risks.”

- The Institute of Risk Management

  1. Overview

“By ‘cyber risk’ we mean any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”

“Cyber Risk management is managing the risks related to cyber activities both from the technical and the socio-technical layer of cyberspace.”

Cyber Risk Management is an integral part of business assurance. Also, it helps protect your organisation from breaches that impact brand, intellectual property, and compliance. The assessment of Cyber risk (what do I want to protect, what is its value, what is the business impact if we lose it/if it fails and what is the chance of it going wrong) is therefore an essential step in the risk management process.

Thus, a cyber risk management programme prioritizes the identified risks in terms of likelihood of occurrence, then makes coordinated efforts to minimize, monitor and control the impact of those risks.

  1. Approach

At Seven Step Consulting Cyber Risk Management means working with you to

  • identify and assess the related cyber risks,
  • determine acceptable risk levels of the assessed risks and
  • design a balanced set of preventive and repressive measures to reduce them to acceptable levels

Risk is often defined by” Probability multiplied by Impact”, so in order to be able to practice risk management, one should know:

  • The assets in/connected to cyberspace
  • Potential threats and their likelihood of occurrence
  • The impact on the mission/operation
  • Scenarios about future developments

At Seven Step Consulting Cyber Risk Management can be practiced with help of a risk management cycle. Typically, this cycle runs every year. This risk management cycle contains roughly three stages:

  1. Asses the risk – As described above, the assets, the probabilities and impacts need to be identified. Input for this step are the findings of the first analysis of the threat field or the monitoring conclusions of the previous cycle.
  2. Control – Based on the impact and the risk level that is accepted, control measures to take the risks to an acceptable level needs to be taken. As mentioned earlier, the level of risk that is accepted is a political/strategic choice.
  3. Monitor – Monitoring means two things in this case; (1) monitoring if the risks as identified are correct and if the countermeasures have the desired effect. (2) It means monitoring how the threat landscape is evolving and if for the next cycle additional measures are needed. This contains also, the monitoring how possible future scenarios are developing. Note the link with situational awareness for this second type of monitoring.

Our Cyber Risk Management methodology is based on global standards such as ISO 31000, ISO 27005 and the NIST Cybersecurity Framework.

Our framework considers the following areas:

  1. Establish the context
  2. Identify risks
  3. Identify controls and check effectiveness
  4. Analyze and test remaining risk
  5. Risk response

Our Cyber Risk Management methodology assists clients with establishing quantitative measures to continuously evaluate their security status. This enables organizations to monitor and report on cyber risk, and act promptly on results that fall outside agreed thresholds or risk appetites.

  1. Benefits
  • Analyze cyberthreats, insider risks, and data breaches – and control exceptions – by line of business
  • Prioritize response and remediation activities according to business impact
  • Reassure business stakeholders of your security posture at a time when the question is not IF a cyberattack will happen, but WHEN it will happen
  • Consolidate risk and compliance requirements across functions and standardize cybersecurity procedures across all your IT and business applications.
  • Align cyber standards with internal controls and operations and clearly communicate your vision and progress on resolving issues
  • Automate the intake of cybersecurity frameworks, mandates, and regulations and the related change management processes
  • Standardize cybersecurity procedures across all your IT and business applications
  1. Deliverables

Our services can also provide organizations with guidance on achieving, assessing and delivering compliance programs, including but not limited to PCI DSS, ISO27001, and privacy, data protection and industry specific regulations

We will perform an assessment of the current Policies and Standards, Organisational Structure and Reporting Framework relating to cyber security based on leading practice standards and frameworks and provide a report highlighting the areas of concerns and provide recommendations for closing the gaps .We shall capture your organization’s unique characteristics and current and target state capability maturity, use our extensive experience and library of good practice attributes, to work towards your cyber strategy. Once priorities have been set, we will help you in defining and developing your cyber security policies and standards, organizational structure and reporting metrics.

Some of the key outputs are:

  1. Cyber Risk Metrics
  2. Cyber Risk Management
  3. Third Party Cyber Risk Management
  4. Security Policies & Standards
  5. Security Control Frameworks
  6. Security Compliance
  7. Security Regulation


    Penetration Security Testing