Risk Assessment Service

Information Risk Assessment and Management Service

Cyber security consists a range of processes, technologies and controls each of which are designed to protect systems, networks and data from cyber-attack. Effective cyber security reduces the risk of cyber-attacks, and protects organisations and individuals from the unauthorised exploitation of systems, networks and technologies.

All these things have vulnerabilities but the one, primary, common denominator of all is information.  Information is being created, gathered, stored, transmitted and received by these processes, networks and technologies. It is this information that a cyber-attacker is interested in obtaining to profit from. Without the business truly understanding the value of that information, whether the value be monetary, confidentiality or sensitivity it is not possible to select and deploy appropriate controls to protect it, based on informed decisions. The means a risk might be under of over protected, the consequences of which both have a monetary impact.

Information Risk Assessment and Management (IRAM) is a process by which the levels of monetary, confidentiality or sensitivity can be accurately assessed and managed.  Armed with information gained through the risk assessment process, appropriate and affordable controls can be selected and deployed, which will pass the scrutiny of independent auditors and regulators.

As it is not common for an SME to employ any full-time information/cyber security/IT expert with IRAM expertise, H2 have developed its Triple A IRAM Service.

What is a Triple A – IRAM Service

‘Triple A’ refers to the need to ensure Affordable, Appropriate and Accreditable controls as selected when creating a robust cyber security business environment. These three things are key business drivers, particularly for an SME. 

Affordability ensures that control deployment is kept in line with values at risk, whilst appropriateness ensures that a control will provide the necessary protection without being a hinderance to business operations; whilst accredibility ensures customers, suppliers and regulators are able to see that the business maintains an up-to-date information security and data protection regime, which can be independently verified as meeting with best practice and required standards.

Risk Assessment Service

IRAM Service Constituent Parts

H2 offer their IRAM service in three constituent Phases:

  • Phase 1 Initial assessment;
  • Phase 2 Implementation of recommendations;
  • Phase 3 Education, ongoing security management review and maintenance.


Phase 1 : Initial assessment

In order to determine the cyber security, information security and data protection maturity of a client, H2 will conduct an assessment reviewing existing information security, data protection, technical security controls, processes and procedures to determine their effectiveness and currency.

This review will on average a three to five days for smaller SMEs and up to ten days for larger SMEs.

H2 will provide a written critique of what was discovered during the review.  A set of recommendations of appropriate changes to controls and an on-going strategy to ensure the business achieves and maintains conformance to any applicable information security, data protection and cyber security standards or regulations.

Phase 2 : Implementation of recommendations

In Phase 2, H2 offers to work with a client to implement the Phase 1 recommendations.  Typically, H2 will schedule work to meet with budgetary and staff availability.  This will help ensure the least amount of interruption to the clients daily routines and staying within budgetary constraints.  Tasks can be scheduled over a time-frame, which is both appropriate to the needs of the business and the demands of regulatory conformity.

Selection and deployment of appropriate controls is not a tick box, fire and forget process.  In collaboration with a client, H2 will ensure that any controls identified will be appropriate to both the assessed risk and business process demands. 

Controls may be simple additions to existing business processes to ensure appropriate checks and balances are in place, which safeguard and protect information or; controls may be technical, which once implemented, automatically deliver an ongoing security function.  In both instances, regular reviews need to be conducted to determine the effectiveness of the control in the light of any changes to the risk.  Where necessary, as a result of these reviews, controls must be updated accordingly.

Phase 3 : Education, ongoing security management, review and maintenance

User or staff education is very important and whilst collaboration with and education of users will be included in the Phase 2 elements of IRAM as a service, it is important to ensure that this education and training continues.

People come and people go, risks change and new processes and controls are deployed.  With that comes the responsibility of management to ensure that users are kept up-to-date with the latest changes.

 As with Phase 2, H2 are able to provide the necessary education, ongoing management, review and maintenance of information security and data protection a retainer.  If required, H2 will propose a maintenance program, tailored to the size of the business, the number of users and the volume of deployed information systems and mobile computing devices.  Typically this will be on a subscription or retainer basis, whereby a work-package is agreed per month for delivery over an agreed time-line, for an ongoing monthly fee.

Alternatively, H2 can assist clients to acquire, deploy and manage a real-time interactive monitoring of all the critical and important elements of their information security and data protection controls.

Contact us today about this service

If you would like to know more about our range of services here at H2 then please contact us today on 01733 602183 or 01780 678199 or complete our contact form.

Click here to get started >