NOWECO Management Software


Information Security Management
Enterprise Risk Manager™

Information Security Management for ISO 27001 / ISO 17799

Information Security Management and Risk Management

Information and information processing is one of the most critical success factors within all organisations. Accordingly, information security and its management is of major importance in order to protect this precious asset. The protection of information and information processing includes to ask about future threats: IT security risks.

An effective and efficient risk management system is a necessary condition for successful IT security management. Standards like ISO 27001 / ISO 17799 / ISO 27005 require risk assessment and risk management as part of an Information Security Management System (ISMS). Further standards such as BS 7799-3 outline an information security risk management system. A systematic risk management approach shall be used to identify and assess risks and prepare treatments. Risk management software can facilitate the efforts of risk management. Enterprise Risk Manager™ is such risk management solution that can be used within IT security.

The Risk Management Process within Information Security Management

Risk management in IT Security does not formally distinguish from any other operational risk management. Quite often the PDCA-Approach (Plan-Do-Check-Act) is borrowed from quality management in order to visualise the basic steps of information security risk management. The following overview briefly outlines the basic steps in IT security risk management:


pdca risk management

Information Security Management and Risk Management

It is very important to understand the continuous process in risk management. The risk review is about re-thinking existing risks and their assessment as well as about new risks. The following table provides additional information on the risk management process steps:


Establishing the Basis Inventory of information and information processing
Risk Identification - Threat Identification
- Vulnerability Identification
- Control Analysis
Risk Assessment - Likelihood
- Impact/Consequences
Treatment Identification - Cost-Benefit Analysis
- Decision for Treatments
Monitoring - Risk Review
- Treatment Monitoring
Risk Communication Risk Reports, Risk Charts, Risk Dashboard

Risk Identification, Assessment, and Treatment Identification in Information Security Management

Risk Identification in information security management consists of three major steps:

  • Identification of assets: an asset is any item, material (resource) or non-material (process) that has a value for an organisation. The value of an asset is not necessarily monetary. E.g. a process does not have a monetary value in the balance sheet, but a broken process can cause a high loss of revenue;
  • Identification of threats: a threat is simply everything that reduces the value of the assets. Threats can have a natural origin (water, fire, etc.) or are human actions;
  • Identification of vulnerabilities: The must be a vulnerability present to an asset, otherwise the threat could not damage the asset. Mostly risk treatments will taken to remove the vulnerability of an asset because it often is not possible to remove the threat;

In order to conduct a risk assessment we need to have clearly identified risks. Two questions need to be asked to learn about the risk:

  • What are the consequences of a risk occurring?
  • What is the likelihood that a risk will occur?

The results of risk assessments allow to rate risks and prioritise them in order to decide which risks are treated first.

The basic rule for risk treatments is that they must have a return-on-investment higher than one. In other words: the benefits from the treatments must be higher than their costs. Risk treatments can be categorised as follows:

  • Risk removal;
  • Risk avoidance;
  • Risk transfer to a third party or an insurance company;
  • Action that reduce the consequence and/or likelihood of a risk;
  • Risk Acceptance;

Benefits of implementing Enterprise Risk Manager™

Enterprise Risk Manager™ is a web-enabled multi-user Microsoft .NET application using SQL Server relational database supporting hundreds of decision makers across the enterprise.

Enterprise Risk Manager™ assists the user to collect all data used to successfully run a risk management system. The software enables the user to store all relevant data in risk management, assists in risk analysis, keeps the history, helps monitoring risks, and makes all data available for reporting on risks.

Enterprise Risk Manager™ is risk management software package to manage general organisational risks related to people, property, reputation, assets and the environment. This includes information security risk management, but is not limited to it. Enterprise Risk Manager™ supports the major risk management standards including ISO 17799 / ISO 27001 / ISO 27005.

Enterprise Risk Manager™ is a very effective risk management software because it ...

  • helps reducing information security risks and decreasing the cost of risk treatment;
  • keeps track of who "owns" the risk, or risk treatment;
  • monitors risks by context - department, division, location, project, process, asset or risk category;
  • evaluates cost and effectiveness of each risk treatment;
  • is an invaluable management tool for the return is many times higher than the cost of the investment;
  • produces documentary evidence for courts or regulators regarding treatments undertaken.

In brief: Enterprise Risk Manager™ helps you to comply with ISO 17799 / ISO 27001 / ISO 27005.

Enterprise Risk Manager™: Features that assist in information security risk management

Using Enterprise Risk Manager™ improves information security risk management efforts because:

  • information security risk management becomes consistent with enterprise risk management;
  • administrative work is significantly facilitated;
  • it speeds up the risk management process;
  • a risk history allows to trace back;
  • alerts are initiated when risk reviews or treatments are overdue.
  • the information security risk status is displayed in a dashboard and lots of charts;
  • Enterprise Risk Manager™ may integrate all further business areas concern with operational risk management.

Downloads and further information

Click to request your free evaluation copy of Enterprise Risk Manager risk management software.

Click to download a product brochure of Enterprise Risk Manager risk management software.

Click to download a product presentation of Enterprise Risk Manager risk management software.

or alternatively:

Click to view an online product presentation of Enterprise Risk Manager risk management software.

Software Integration of Enterprise Risk Manager™

Enterprise Risk Manager™ may be integrated with:

  • Enterprise Incident Manager™
    to manage workplace injury and other incidents that occur and interfere with the business.
  • Enterprise Issue Manager™
    to manage the issues which form a gap between the organisation's performance and stakeholders' expectations.
  • Control Self Assessment
    which is used to audit and validate controls in order to ensure they are operating both efficiently and effectively.

Enterprise Risk Manager™ is developed by

Incom risk management software