Risk management can be relatively straightforward if you follow some basic principles.


Below are some practical hints that you may find useful:


  • Take IT security into consideration from the outset when you plan new or changed IT systems.
  • Actively look for IT-related risks that could impact upon your business. A workshop will help you to think more imaginatively about risks than doing it alone.
  • Consider the opportunity, capability and motivation behind potential attacks.
  • Assess the seriousness of each IT risk so that you can focus on those which are most significant.
  • Implement standard configurations for PCs, servers, firewalls and other technical elements of the system.
  • Do not rely on just one technical control (eg a password). Use 2 factor authentication to guarantee user identity - eg something you have (such as an ID card) and something you know (a PIN or password).
  • Support technical controls with appropriate policies, procedures and training.
  • Make sure you have a business continuity plan covering any serious IT-related risks that you cannot fully control.
  • Regularly review and update your IT risk assessment and business continuity plan.
  • Establish an effective incident recording and management system.
  • Consider certification to the information security management standard ISO/IEC 27001 for your business and your trading partners.

Share this page

Print this page