Traditionally, risk assessments have been largely paper based. The Assessor will determine a scope relevant to the objective, and then undertake the assessment using a methodology described in one of the various international standards on risk management.

There are, however, many different approaches to risk assessment, and the standards are not prescriptive on exactly what or how to undertake such an assessment. The problem here is that the scope of the assessment is integral to the overall outcome.

To effectively perform cyber-risk assessment, you must think about the complex web of overlapping systems and supply chains that are now essentially part of the footprint of your business.

While the traditional risk assessments are still important as part of an overall risk management program, and they are still required under many of the standards. However, given the changing nature of cyber-risk, assessments must now be augmented with other methodologies.

We need to adopt assessment methods that are going to give a higher degree of assurance that we are identifying realistic vectors through which the business may be subjected to attack. We call this discipline Dynamic Risk Assessments (DRA).

To read the full blog article, visit Don’t shy away from Technical Risk Assessments.