Enterprise security risk management (ESRM) includes the methods and processes to manage security risks and realize opportunities that are directly related to organizational objectives. ESRM typically involves identifying events or circumstances relevant to the organization’s objectives, assessing them, determining a response strategy, and monitoring progress.

Enterprise Security Risk Assessment (ESRA) differs from conventional security risk assessment, not only in scale but also inits nature. A conventional security risk assessment (SRA) seeks to analyze the risks of a business unit or subset of the enterprise(e.g. a particular facility, project, or system).


ESRA Focus

By contrast, an ESRA has little interest in the specifics of each business unit unless they demonstrate thematic issues that are evident across sections of the enterprise (of if business unit risks represent strategic risks to the organisation).
The focus of an ESRA is on the security of the overall enterprise. It may also seek to establish measures such as security standards, systems, and protocols so that individual units all face similar levels of risks.You cannot approach and ESRA as an organization that owns or operates (say) 100 offices, 50 servers, and 3 data centers in 20 countries.
The concept requires that the security risk analyst(s) must focus on the totality of an integrated enterprise. An enterprise that, operates a single business across many facilities, operates a cloud server, and happens to have a presence in 20 nations. There should be no requirement to visit each of the countries or even a majority of the locations and systems to conduct an ESRA and develop an enterprise security (risk) treatment plan.
It is essential however, to understand and evaluate the threats and risks across each level or category of business units.

ESRA Scoping Statements

A scoping statement for an ESRA might include:

  • Enterprise-wide strategic security Risks (physical, personnel, technology and information).

  • Business activities and corporate operations globally.

  • Review of enterprise-wide strategic security measures currently in place for the protection of personnel, assets, and information both at our facilities and while in transit.

  • Review and develop security standards and postures across a range of threat levels such that the enterprise can respond with established protocols to any variation in threat levels.

  • IT systems as well as interfaces with key external systems.

  • Physical protection of server rooms and systems.

  • Review of existing security policies, procedures, documents, incident reports, manuals, etc.

  • Identification of risks associated with key assets, activities, and operations of the organization.

  • Identification and assessment of key vulnerabilities and threats. Qualitative and quantitative assessment of security risks currently facing the enterprise.

  • Recommend treatment plans to manage or mitigate the risk to an acceptable residual level.

How to get started with SECTARA

If you see the same great benefits that we do in SECTARA, there are several methods to get started:

As a valued subscriber, you will be comprehensively supported via our Ticketing System and Knowledge Base, and you can still always contact us direct when you need to.

Article by:

Julian Talbot

Julian is a SECTARA Advisory Board Member and, among many other things, the author of the Security Risk Management Body of Knowledge (SRMBoK). In recent times Julian contemplated how to take SRMBoK further, and in doing so publish a contemporary account of associated security models, principles and practices. The result is the Security Risk Management Aide Memoire (SRMAM), a book that is free to all SECTARA subscribers (yes, even on the free plan). This article is replicated from the SRMAM wesbite with permission.