Security risk assessments continue to play a crucial role in a security team’s ability to assess and manage risks. Developed by a team of seasoned security professionals, the updated ASIS Security Risk Assessment Standard offers an up-to-date and forward-looking comprehensive and systematic approach to identifying, analyzing, and evaluating security risks, ultimately empowering organizations to safeguard their assets, mitigate threats, and enhance resilience.
The ANSI-approved Security Risk Assessment (SRA) Standard is now available, featuring a robust framework and detailed guidance that equips security practitioners with the tools and methodologies needed to conduct thorough and effective security risk assessments in diverse environments.
We sat down with Jennifer Holcomb, PE, PMP, PSP, CPP, CPD, Vice President and Security Solution Lead at Anser Advisory, part of Accenture, and SRA Technical Committee Co-Chair, to learn more about this revised Standard.
Q: How has security risk assessment changed since the standard was originally released in 2015?
A: The general concept of risk assessments has not changed. We are still trying to determine what needs to be protected and how best to protect those things against current day threats that have evolved to be more holistic in nature. This document logically presents the steps to conduct an SRA and even includes a sample outline for an SRA report.
Q: What improvements have been made to the Security Risk Assessment Standard with this revision?
A: The new standard incorporates three primary goals: integrate Enterprise Security Risk Management; focus the document on how to conduct a security risk assessment; and lastly, make this a useable tool from start to finish for assessors of all levels and roles. By meeting these goals, the overall length of the document was reduced and reorganized to make it easy to follow.
Q: Can you provide an overview of the Standard and its approach to risk assessment?
A: The Standard is set up to align with how a security professional would approach conducting a security risk assessment. This begins with the administrative aspects, such as establishing the context of the assessment and corresponding scope and deliverables. Next is preparing for the assessment. Finally, determining the risks and how to treat or mitigate them given the client’s/organization’s tolerance. Each section is further detailed, so those that have not conducted an SRA before can still follow the steps and provide a valuable document for their client or organization to act upon.
Q: How does the SRA Standard apply to security professionals across the many different sectors of the security industry?
A: We had a very well-balanced team representing different perspectives by location, industry role, and experience. The team noted differences in perspective from an internal assessor vs. external (third party consultant) as we evaluated wording and approach.
Q: How can security management professionals leverage this Standard in conversations with the c-suite?
A: The SRA Standard is a defined, repeatable, and documented process. It follows industry best practices and adapts to align with an organization’s mission, vision, and operational objectives. The SRA provides information to make decisions about risks that may impact business objectives, which may reduce corporate liabilities. Additionally, the standards developed by ASIS International are backed by the SAFETY Act of the US Department of Homeland Security, which reduces the liability for an organization should a terrorist attack occur. Reducing liability is a compelling argument to adopt this as a business decision. These are just a few reasons to discuss with the C-Suite if they have concerns about the process or reasons why an SRA should be conducted.
Jennifer Holcomb, PE, PMP, PSP, CPP, CPD, works as the vice president and security solution lead at Anser Advisory, part of Accenture, and volunteers with ASIS as co-chair of the SRA technical committee.
