Principles of building a Security Risk Management Plan – 7 Steps: (2024)

Luclow Security Risk Consultancy are specialists in designing and implementing Security Risk Management Plans. Here are 7 basic steps. If you’d like to know more, or you need help building yours, get in touch at [email protected].

1. Identify the Key Risks. Work out the things that are really important to you (or the business), the interruption of which would have a material impact. Then decide how that interruption might come about.

2. Prioritise the Risks. Take your Key Risks and rank them based on severity; the good, old-fashioned Likelihood vs Impact equation. The further towards the top right of the severity matrix, the higher priority the risk becomes.

3. Establish Appetite. How much are you (or the business) willing to accept? Not everything can be stopped and there must be some acceptance of impact, but when does the impact become unacceptable.

4. Set Controls. What are you going to do to mitigate the risks? There will be myriad options that will need to be delivered in a layered approach. Be clear on who is responsible for, who owns, and who operates the Controls.

5. Measure & Report Control Effectiveness. Your Controls need to be effective enough to keep the risk within appetite. But how will you know the Controls are working and how will you report this to management? You’ll need mechanisms for capturing this information.

6. Adjust and Improve Controls. You will need mechanisms in place to improve mitigation, including the addition of further Controls, if Controls are assessed as ineffective. This is a continuous process and requires engagement and feedback from those operating the Controls.

7. Continuously monitor your Key Risks and the entire Plan. Routinely assess the Key Risks to ensure your Plan remains current and relevant. This is a cycle; a living process. Don't just write it and file it once complete.