Why is an IT risk assessment necessary?

An IT risk assessment / IT risk analysis focuses on the identification of threats related to the organisation's information systems, its networks and flow of data, and the evaluation of possible consequences. We certainly cannot forget the weaknesses of physical security. Such weaknesses make gaining access to the organisation's assets, information and information processing tools, and damaging or disrupting the organisation's operations possible.

Risk assessments should be carried out regularly, in compliance with best practices (e.g. ISO 27005, E-ITS, Cybersecurity Act, etc.), and whenever major changes take place within the organisation. Conducting a risk analysis before scheduled major changes ensures that the project, including budget and resource planning, can be successfully implemented. Experienced KPMG professionals help you introduce the purposeful use of resources to ensure information security through an IT risk assessment. In addition, the IT risk assessment enables you to get an overview of how the organisation's risks and vulnerabilities change over time. This will be the basis for planning and implementing appropriate measures.

According to the National Information System Authority, the number of cyber and ransomware attacks is increasing year after year, and there is a growing need to deal with security issues. In 2021, CERT-EE registered 30 ransomware attacks. This does not seem much, but it must be taken into account that the consequences of a ransomware attack are among the most severe ones: those attacks have stopped the production lines of companies for days and, through them, entire companies’ digital documents have been lost along with customer data. The National Information System Authority registers more than 20,000 notifications and nearly 2,500 cyber incidents per year, which have a real impact on systems or their operation.


Why KPMG and what do we offer?

The specialists working for KPMG are technically competent in various fields and have very extensive experience. As a global organisation, KPMG can utilize the expertise of specialists from other countries. We offer our clients a professional service and plan engagements based on the needs of each client.
In the course of IT risk consulting, we identify the organisation's critical business processes and related security risks.
  • We help you assess your organisation’s IT and cyber risks; we also help you identify associated threats and vulnerabilities
  • A risk assessment plan provides the organisation with a clear understanding of various risks
  • We draw up an action plan to mitigate the risks
We base our risk assessment on the methodology developed by KPMG. We also use international standards (ISO 27005), Estonian risk management guidelines (E-ITS, the risk management guidelines for vital service providers) and best practices for risk assessment (ISF and NIST guidelines).

Phases of a risk assessment

The first step of the risk assessment is to map in cooperation with the client the information assets that are critical for the company and related to information systems.

The next step in the company is to identify threats related to cyber security. Threats can vary. Therefore, it is important for every company to have a comprehensive overview of the threats related to its critical assets.

The third step is the identification of weaknesses. This includes mapping the vulnerabilities of the company’s systems and processes, and the physical vulnerabilities that can lead to an information security incident.

Next, security measures are implemented to minimize or eliminate business-critical vulnerabilities and threats. In phase four, the existing security measures, which prevent interruptions and mitigate their consequences, are assessed, considering the probability of the materialization of the identified risks.
The next step is the prioritization of security risks, that is, risk classification. This helps the company determine which risks need immediate mitigation and where the company should invest time and resources.

A risk matrix table is created for the classification of risks. The risk prioritization is followed by the development of measures, that is, the creation of a risk management plan.
The risk management plan lists risks in order of priority, together with security measures that prevent risks and mitigate the consequences, along with personnel responsible for the implementation of the plan and deadlines. The final step in risk assessment is to produce a report documenting all of the company's assessment findings in a way that supports budget and policy changes.

PHASES OF SERVICE 1

Identification of critical IT assets and critical services

2

Identification of threats and vulnerabilities

3

Internal controls assessment

4

Probability assessment

5

Impact assessment

6

Risk assessment

7

Developing measures and preparing a risk management plan

8

Documentation of results

Results

  • A detailed overview of the risks identified in the organisation.
  • Management's awareness of what is happening in the organisation. Awareness of potential risks allows the management to make better management decisions in terms of information security resources.
  • More precise forecast-based action plans and resource usage.
  • Clearly defined roles and responsibilities within the organisation.
  • Increasing the organisation's sustainability and risk awareness broadens the possibilities for attracting new investors.
  • Avoiding potential data leaks.
  • The organisation will have complete documentation, everything from the information systems related to the business process to a template of the risk management plan.


Provide a safe and sustainable business environment for your company! We will help you build a resilient and reliable digital world, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
itaudit@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
${item.title}
KPMG Baltics KPMG Küberkaitse KPMG Global Privacy Policy
Oma veebilehel kasutame küpsiseid. Küpsised aitavad analüüsida veebiliiklust ning annavad meile statistilist teavet.
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: