Security Risk Management: Business Analysis Tools


Although not free of criticisms, the framework and processes commonly endorsed for managing risk are provided by the ISO 31000, Risk Management – Principles and Guidelines (International Organisation for Standardisation, 2009). The standard provides a means to manage risk, which can be used by organisations, varying in size and sector. ISO 31000 is a procedural construct, which follows the principals of plan, organise, direct and control. This approach may empower businesses to clearly identify and categorise risks and to adopt appropriate management practices. The model has been adopted as a framework for Security Risk Management professionals because of its consideration of the context within which a business operates, alongside the potential threats, risks and responses.


The effective implementation of ISO 31000 requires an organisation to actively integrate risk management across its operational and planning processes. However many organisations do not successfully incorporate each of the stages of the model fully and therefore it may be necessary to adjust elements of the risk management model to suit business processes and cultures. Although organisations differ in their approach to risk management, ISO 31000 is widely endorsed as a framework to be followed. 


In addition to the use of the ISO 31000 framework by security professionals acting in an advisory capacity, business analysis tools can be also used to assess the security strategies and procedures. The use of SWOT analysis in particular could be used to assess the vulnerabilities and resilience of an organisations security and business continuity plans. Following the identific