The pragmatic "iterative risk assessment" method, updated

Last year in the course of collaboratively developing the Adaptive SME Security method, a friendly group of experts from the ISO27k Forum came up with the 'iterative risk assessment' approach. It is a pragmatic way to start a regular security improvement cycle - one that is realistic even for the tiniest of micro-businesses (sole proprietors).

The process is a simplified version of conventional information risk management, tackling just one piece of the puzzle at a time.

The bite-sized chunks can be picked up and chewed over as-and-when, and parked temporarily if (when!) something more urgent comes up.

Each run through the cycle uses a single incident to exemplify and explore the associated risks in a way that any SME can manage - in fact, even larger organisations might benefit from this if their information risks aren't being managed effectively, to re-energise the process, or to share the work throughout the business.

Time-boxing the cycle at (say) a month should avoid getting bogged-down and stalling on the details, whilst retaining some sense of urgency. The process should get better (quicker, easier, more effective, more insightful, more valuable!) with each run.

A 2-pager on iterative risk assessment is here.

Comments and especially improvement suggestions are welcome. Please email me (Gary@isect.com) or raise it on the ISO27k Forum or LinkeDin.