Conducting business involves taking risks. As such, organizations must carefully and sensibly balance these risks, the measures to limit these risks and the interest of the business. This also applies to risks threatening the availability, integrity and confidentiality of information. Organizations must take a variety of measures to safeguard these aspects of information, as well as the supporting processes, systems and networks. A risk analysis can help to draw up an inventory of the risks and then to select the right measures to reduce these risks to an acceptable level.
Risk analysis involves the systematic assessment of the damage the organization could suffer due to a particular threat, and the probability with which such a risk would actually arise. In this context, the consequences for the availability, integrity and confidentiality of the information and other business assets have to be taken into account in the light of the threats present.
After taking an inventory of the risks, the main goal of a risk analysis is to define security measures that enable the organization to achieve an acceptable level of security. We also take into consideration the costs and benefits of implementing these measures.
KPMG uses the SPARK method to perform risk analyses. This methodology was implemented in Qubus to make it possible for KPMG IT Advisory colleagues and clients to perform a systematic assessment of risks and controls and obtain a variety of analysis reports.
- SPARK is a structured and relatively simple method used to study the risks related to information and the supporting processes, systems and networks.
- The method is also used as a tool in the selection of suitable security measures (from ISO/IEC 27002) to ensure the availability, integrity and confidentiality of the information and operations.
- SPARK is easy to use as a result of the automated support.
