Taking a risk-based approach to information security

Taking a risk-based approach that applies sound risk management allows you to tailor an information security framework to your organisation’s operating context and the threats it may face

INF004

In response to these threats, using a risk-based approach that applies sound risk management will best allow you to tailor an information security framework to your organisation’s operating context and the threats it may face.

Not all information should be treated equally. Some information is more valuable or sensitive, requiring a greater level of protection. You must understand the value, importance, and sensitivity of your information. This will determine the minimum requirements you need to protect it from harm.

The Business Impact Levels (BILs) is a tool that can be used to assess the value of your information and the potential impact if your information is compromised. Along with assessing event likelihood, threats, and vulnerabilities, BILs should inform a robust risk assessment.

Consider the impact on your organisation if the following examples occurred.

  • A database with sensitive information was corrupted.
  • An unauthorised person deliberately accessed and shared sensitive information with the media.
  • Your information was accidentally released to third parties.

Following a risk management approach will help you identify other scenarios that could occur in your organisation.