Building your Asset and Risk Register to Manage Technology Risk
Reading Time: 7 Minutes
In this article, we will deal with the development of your Asset Register and Risk Register – critical tasks to manage Compliance and regulatory requirements in your organisation. If you need an introduction to risk management, read: Understanding and Calculating Organisational Risk
At the end of this post, you can download a sample Risk Register. Fill it with your business’ risks and details to build your own register.
Technology risk has its unique characteristics and is becoming increasingly common and dangerous to businesses of all sizes. Your business is more likely to fall victim to a cyber attack than fire, for example, and the consequences of such an attack could be just as dreadful.
Most people who seek our advice don’t consider themselves fit to handle technology risk. Yet, in reality, much of the knowledge applied here is similar to other areas in risk management. We tend to recommend leveraging the NIST Cyber Security Framework to tackle technology risk, as it makes the whole process much more manageable. We have a detailed guide on that, here.
Prefer this content in a video? Watch the Webinar below:
Asset Register
Building an asset register helps clarify what is valuable in your company and who is responsible for it. Moreover, without knowing what you have and who is in charge of protecting these assets, you can never fully understand technology risk in your business.
When considering building an Asset register, we dip into our ISO 27001 knowledge and preparation and utilise their definition from the 2005 revision of ISO/IEC 27001 which defines an asset as “anything that has value to the organisation.”
Think about that for a moment as it covers a lot of ground. Necessarily so.
Why are assets important for information security management?
There are two reasons why managing assets is essential:
- We use Assets to perform the risk assessment. Assets are usually the key element of identifying risks, together with threats and vulnerabilities.
- If the organisation doesn’t know who is responsible for which asset, chaos would ensue – defining asset owners and assigning them the responsibility to protect the confidentiality, integrity and availability of the information is one of the fundamental concepts in IT Risk management.
How to build an asset inventory?
If this is your first attempt at creating an asset inventory, the simplest way to build it is during the initial risk assessment process because this is when all the assets need to be identified, together with their owners.
The best way to build an asset inventory is to interview the head of each department or outsourced service provider (if appropriate), and list all the assets a department uses.
We use discovery tools that automate the gathering of such information in terms of technical resources that may be less obvious – i.e. virtualisation solutions, switches, routers etc. – as these are often forgotten.
This process is further supported by describing what you see and do. It is always amazing what your staff know about what is stored and used in your business.
You may already have several elements of this asset register to hand, in which case you only need to compile them under the headings as described below.
Building the asset register is usually done by the person who coordinates the Risk Management process, and this person collects all the information (hopefully with plenty of help) and makes sure that the inventory is updated.
What to include in your asset inventory:
In the asset register that we are looking to build today, we suggest the inclusion of assets under the following headings:
- Hardware – e.g. laptops, servers, printers, but also mobile phones or USB memory sticks.
- Software – not only the purchased software but developed software and freeware.
- Information – not only in electronic media (databases, files in PDF, Word, Excel, and other formats) but also in paper and other forms.
- Infrastructure – e.g. offices, electricity, air conditioning – because those assets can cause a lack of availability of information.
- People are also considered assets because they also have lots of information in their heads, which is very often not available in other forms.
- Outsourced services – e.g. IT services, legal services or cleaning services, but also cloud-based services like Microsoft Office 365 and Enterprise File Sharing solutions such as Egnyte. As such services need to be controlled very similarly to assets, so they are very often included in the asset management.
Who should be the asset owner?
The owner is usually a person who operates the asset and who makes sure the information related to this asset is protected.
For instance, an owner of a server can be the system administrator, and the owner of a file can be the person who has created this file. For the employees, the owner is usually the person who is their direct supervisor.
For similar assets used by many people (such as laptops or mobile phones), you can define that an asset owner is the person using the asset.
If you have a single asset used by many people (e.g. an ERP software), then an asset owner can be a member of the board who has the responsibility throughout the whole organisation – in this case of a Critical Business System, this could be the CIO or CFO.
When this part is done, you should be able to move to the next stage.
Risk Register
Building a risk register allows you to both assess and treat the risks of all of your identified assets. Although critical, we are often asked – why is it so important? The answer is quite simple although not understood by many people: it is important to find out which incidents could occur (i.e. assess the risks) and then find the most appropriate ways to avoid such events (i.e. treat the risks).
Now add to that that you also have to assess the importance of each risk so that you can focus on the most important ones first. In NIST world, this allows you to prioritise your next actions based on identified risk.
While building the risk register seems daunting, it is very commonly unnecessarily mystified. These 4 straightforward steps alongside our sample documentation will shed light on what you have to do, and eventually how to present it to an auditor or the board:
Risk assessment methodology
This is the first step on your journey through risk management. You will have to define rules on how you are going to perform the risk management because you want your whole organisation – and your stakeholders – to implement this in the same way. The approach that we will take will be quantitative in our example.
Risk assessment implementation
Once you know the rules, you can start finding out which potential problems could happen to you. You need to access a list of all your assets, then investigate threats and vulnerabilities related to those assets.
You should assess the impact and likelihood of each combination of assets/ threats/ vulnerabilities and finally calculate the level of risk. Again, our sample risk table will assist you in building out your risk register.
Our experience tells us that companies are usually aware of only 30-40% of their risks. As a result, you will find this kind of exercise both revealing and rewarding.
Not all risks are created equal – you must focus on the most important ones, so-called ‘high’ or ‘critical’ risks, first.
There are four options you can choose from to mitigate each critical risk:
- Apply security controls to minimise the risks.
- Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
- Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
- Accept the risk – if, for instance, the cost for mitigating that risk would be higher than the damage itself.
This is where you need to get creative – how to decrease the risks with minimum investment. The unfortunate truth is that budgets will always be limited. You need to figure out the best way to mitigate risk at the least cost. We will get in more detail about this bit on the next article – Developing an Action Plan to Address Technology Risk.
Risk Implementation Plan
This is the step where all of your hard work and information gathering starts to pay off. Let’s be frank – all up to now this whole risk management job was purely theoretical, but this is where the rubber meets the road and we get some concrete results.
The primary purpose of the Risk Treatment Plan is this: to define exactly who is going to implement each control, in which timeframe, with which budget.
Once you’ve written this document, it is crucial to get buy-in from either your board or top management as it will take considerable time and effort (and money) to implement all the controls that you have planned here. Moreover, without their commitment, all these efforts will fail.
Once you’re done, you have just completed the hardest part of your overall risk management strategy. Best of luck!
Continue tackling the Risk – Download your Risk Register Sample
From our years of experience working with customers in highly regulated industries – Financial Services, Healthcare, semi-private organisations – we have found that the best way to handle the challenges of managing technology risk and governance is by leveraging the NIST Cyber Security Framework.
We explain how to do it in detail in our Guide to NIST. Its main focus is for Financial Services companies, but every type of business can leverage the framework to deal with risk.
Download your Risk Register Sample Here, and if you have problems using it, watch the webinar near the top of this page.
The Asset and Risk Register are crucial for the development of a Risk management system, but keep in mind that they are only part of that system and not the end result. Now that you are done reading this part, the next one is to Develop your Action Plan to Address Technology Risk.
To continue managing the risk consistently and continually, we have developed our own methodology to assist and guide you through every step. If you are looking for an extra level of detail and a system that will make this process much more comfortable and straightforward, Book a Call with us. We can get you to your desired state of maturity with a tested solution.
Follow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.