Self-Assessment Processes (SAP)

Widely documented in numerous case studies, it has been proven that world-class organizations have benefited from the design and implementation of Self-Assessment Processes (SAP) that foster a "culture of self-improvement".  The IT Governance Institute strongly suggests that organizations should  "Create and maintain a risk management framework."  The ITGI defines the SAP as "The framework documents a common and agreed level of IT risks, mitigation strategies and agreed-upon residual risks. Any potential impact on the goals of the organization caused by an unplanned event should be identified, analyzed and assessed. Risk mitigation strategies should be adopted to minimize residual risk to an accepted level. The result of the assessment should be understandable to the stakeholders and expressed in financial terms, to enable stakeholders to align risk to an acceptable level of tolerance."*

As defined in ITIL/ISO27001,(4.1) - Information Security Management System - General Requirements:
"The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the organization’s overall business activities and the risks it faces."

Our Services:
Implement a Level 1 (entry level) process for self-assessment of risks by key process and control that is aligned with best practices and regulatory requirements.  The self-assessments should be limited to basic components including Asset Classification (data, information, physical etc.),  Vulnerability Classification and Impact Classification (very high, high, medium etc.) that are ensured of consistency by clear delineation of classification business rules.