Checklist for Risk Management

Risk management can be relatively straightforward if you follow some basic principles. Below are some practical hints that you may find useful:

• Take IT security into consideration from the outset when you plan new or changed IT systems.
• Actively look for IT-related risks that could impact upon your business. A workshop will help you to think more imaginatively about risks than doing it alone.
• Consider the opportunity, capability and motivation behind potential attacks.
• Assess the seriousness of each IT risk so that you can focus on those which are most significant.
• Implement standard configurations for PCs, servers, firewalls and other technical elements of the system.
• Do not rely on just one technical control (eg a password). Use 2 factor authentication to guarantee user identity - eg something you have (such as an ID card) and something you know (a PIN or password).
• Support technical controls with appropriate policies, procedures and training.
• Make sure you have a business continuity plan covering any serious IT-related risks that you cannot fully control.
• Regularly review and update your IT risk assessment and business continuity plan.
• Establish an effective incident recording and management system.
• Consider certification to the information security management standard ISO/IEC 27001 for your business and your trading partners.