Introducing Abriska – What is it and why adopt it?
So, let’s step back. What is Abriska? – Abriska is a web-based tool (think software as a service) with a number of modules all focused on helping organisations implement a best practice approach to managing risk. The first module we developed addressed information security risk and was followed with others looking at business continuity, supplier risk, operational risk, and action management.
Why did URM develop Abriska?
At its core, URM provides consultancy and training services to assist organisations implement best practice information security and business continuity management systems. With information security, a major focus of ours over the last 15 years has been to assist businesses to either align with or certify to ISO 27001, the International Standard for implementing information security management systems (ISMS)…and it’s British Standards forerunner BS 7799!. The cornerstone to any ISMS (and an area which proves challenging to many organisations) is the assessment and management of information security risks. From the outset, a key priority for us was to develop a robust and consistent risk assessment methodology that would not only meet the requirements of the Standard but was flexible enough to be used with organisations of any size and from any sector, irrespective of which consultant was leading the project!
With this goal in mind, we developed an internal tool to allow consultants to capture the necessary information to conduct a thorough risk assessment. In developing the tool, we involved all of our consultants, certification bodies and other interested parties to ensure our tool was ‘best of breed’ and met all requirements. We decided to adopt a web-based platform to enable consultants to collaborate more effectively and peer review each other’s work. The focus of the early development was to ensure that a robust, repeatable risk assessment could be completed quickly and that the tool would generate reports and graphical outputs that would satisfy two requirements. Naturally, the reports needed to meet the requirements of the ISO 27001 Standard and the certification bodies but, just as important, Abriska needed to present risks in a clear and ´easy to understand´ format to support senior management in making risk treatment decisions.
Whilst these factors were initially URM’s consultant requirements they also aligned with what our client requirements wanted and expected. As we started to utilize the tool on consultancy engagements, the benefits of Abriska quickly became apparent to clients who asked whether they could access it on an ongoing basis. This became the point when we started to market Abriska as an independent risk management product. It is important to note that it still remains an integral and core part of all our consultancy engagements. Abriska has been successfully used in every ISO 27001 certification project our consultants have been involved in, and that´s nearly 200 at the last count!
Continuous improvement is very much the name of the game with Abriska. We continue to develop and enhance Abriska in line with updates and revisions to the ISO 27001 Standard and, most importantly, following feedback from clients and consultants alike. Each Abriska client has helped to shape the Abriska product suite into what it is today. Since introducing Abriska 27001, URM has introduced additional modules aligned with other risk-based international standards:
- Abriska 22301 – enables an organisation to undertake a business continuity business impact analysis
- Abriska 31000 – help manage enterprise risk management
- Abriska 19011 – audit and action management
- Abriska 27036 – supplier risk management focusing on information security risk
What technologies have we utilised in developing Abriska?
URM is a Microsoft partner and, as you would naturally expect, Abriska has been developed utilising standard Microsoft technologies (e.g. .net core, SQL server). Abriska is, also, hosted within Microsoft’s cloud computing environment, Azure.
When should an organisation adopt Abriska?
Now!! Abriska has been adopted by a wide range of organisations in different industry sectors, most typically when they are looking to adopt best practice risk management (e.g. aligning or certifying to ISO 27001). We have worked with businesses starting their risk management journey as well as those who have outgrown their manual risk assessment methodologies. In the main, clients want to simply benefit from an established approach, developed by consultants who truly understand the subject, that allows them to devolve specific responsibilities whilst retaining an overall picture and control. For example, if you need HR or IT to provide information then you can provide departmental representatives with access, but only to the area that relates to them and you´re not constrained by a restrictive licensing model! Abriska allows risk assessment responsibilities to be shared between teams.
With an increase in security incidents caused by third parties, along with a greater focus on third-party management within both legislative and regulatory standards, URM has seen more organisations looking to adopt formal third-party assessment tools, such as Abriska 27036, to manage their third-party risk, save them time and ease the administrative burden.
So, whether information security risk management is your focus, or establishing a consistent approach to conducting a BC business impact analysis, or managing risk in general, or maybe managing actions and audits or getting to grips with the thorny subject of third-party management then Abriska has a module for you. With training and a range of web-based tutorials included in the price, getting on top of these challenges has never been easier!