Offered in three incremental stages, IRS enables large and medium-sized businesses to understand their security posture within the context of their industry and beyond. Both internal and external factors, including security standards, legislation, regulation, and best practice, are used to determine the Risk Score of the business and generate comparative data that can be used to identify potential areas of under- or over-investment, justify expenditure, focus resource, and determine the effectiveness of future business strategy.
IRS consists of a no-fee initial qualitative and quantitative assessment of the overall risk posture based on multiple-choice questionnaires.
A web-based front-end collates internal and external audit information while sophisticated back-end processes take into account additional horizontal and vertical sector-specific factors including compliance requirements and cyber threats.
Key areas examined include the philosophical approach to information security, risk appetite, strength and completeness of security policies, certifications and accreditations, specific business activities, internal security awareness, thoroughness of education programmes, use of technical controls, testing and validation regimes, and planned projects. A dynamic mathematical risk model computes and processes the results to generate a Risk Score indicative of the security posture of the enterprise in a real-world context.
IRS is delivered in three stages. IRS Stages 1 and 2 are offered free of charge while Stage 3 is a subscription based service which benefits from a quarterly report and alert service:
Stage 1: Qualitative – a rapid ‘traffic light’ indicator of the risk posture of the organisation, highlighting areas requiring attention. The traffic light indicator represents an evaluation of risk at one point in time and participants are invited to reassess periodically to take account of both frequent updates to the IRS model as well as internal developments in policy, process or security architecture.
Stage 2: Quantitative – awards a numeric Risk Score from 1-100 according to the company’s standing within a given sector and incorporates a more thorough assessment of the areas identified in Stage 1.
Stage 3: Comparative Risk Benchmarking – offers a comparative benchmarking service by comparing the IRS Risk Score with the performance of peer groups and competitors. Subscribers benefit from a quarterly reassessment delivered as a comprehensive report which acts as an independent, cost-effective, ongoing means of measuring and assessing risk. Incident alerts are triggered to prompt reassessment in the wake of significant changes to the regulatory or threat landscape.