Corporate Governance

Home

Initiatives

Membership

Publications

Events

Communities

Resources

News

People Centric Identity Assurance

Directors’ Guides to Managing Information Risk

The UK is rapidly becoming an information society not just an information economy. Across all walks of life, new information-based ways of working are emerging. Armed with good information and the expertise to use it to the full, organisations can surge ahead and become increasingly successful.

But with opportunity comes risk. Shareholders, customers and citizens place high expectations on the organisations they engage with to provide them with reliable information, to make good use of that information, and to protect that information, especially when it is personal. There are a wide range of threats, malicious and accidental, technical and non-technical, which have a bearing on an organisation’s information, and realisation of these threats can lead to significant reputational damage, operational inefficiencies, and missed opportunities. Ensuring that controls are in place to protect information is a central concern for any organisation, public or private sector, regardless of size or field.

The purpose of these guides is to help directors ensure their organisation manages its information risks well. These guides will help directors understand the challenges presented by information risk, position their organisation to address those challenges, and make sure their organisation’s information risk management arrangements are holistic and strong.

The Guides can be downloaded below in Adobe Acrobat Portable Document Format (PDF) file format - however, they are laid out mainly for electronic use - printer friendly guides will be added shortly in due course.

Directors' Guides to Managing Information Risk

Title	Owner	Category	Last Updated	Size (KB)
Directors' Guides to Managing Information Risk - Organisation	Neil Robinson		22/04/2008	164.52	Download
Directors' Guides to Managing Information Risk - People	Neil Robinson		22/04/2008	132.75	Download
Directors' Guides to Managing Information Risk - Process	Neil Robinson		22/04/2008	154.73	Download

Corporate Governance

Corporate governance standards are encouraging companies and public sector bodies to adopt good practices in risk management, including management of information risk. However, the Turnbull guidelines on corporate governance provide insufficient detailed guidance for Boards seeking to manage information risk. Security management standards, such as ISO17799 provide useful tools but are not widely enough adopted and need to be complemented by management and audit mechanisms that can give Boards the assurance they currently lack.

IAAC has worked with professional bodies, such as auditors and accountants, as well as cross-sector groups such as the insurance industry and professional service firms, to develop Corporate Governance Guidelines for Information Risk Management and to encourage use of best practices.

This work drew upon IAAC’s previous studies, seminars and working groups on Critical Dependencies & Risk Management; Standards & Guidelines and Corporate Governance.

IAAC’s Initiative on corporate governance in 2002 included:

Implementing Corporate Governance
- Launch of the Directors Information Assurance Network (DIAN)

Benchmarking Information Assurance

Consultation on Corporate Governance
Following wide consultation and presentation of IAAC's Corporate Governance Paper: 'Engaging the Board: Corporate Governance and Information Risk', the paper was formally issued after IAAC's 3rd Annual Symposium in October 2003. You can now download the full paper.

Benchmarking Information Assurance
Boards of UK companies and public sector organisations are becoming more aware of their responsibility for managing information risks. However, company directors and senior managers need assistance with benchmarking their organisation’s performance and understanding whether they are achieving the desired returns on their investments. This pilot survey of IAAC members is intended to help UK company directors and boards to understand the state of practices related to Information Assurance. Although drawn from a small sample, the survey covered a variety of sectors, types and sizes of organisations.

Benchmarking Information Assurance in the Telecommunications Sector
Information Assurance is making the transition from a technical activity to a senior management and board issue. However, for senior managers, what gets measured, gets managed – and vice versa. Today, most corporate boards do not have the means to assess the maturity of their organisation in respect of IA. This makes it hard for boards to assess “how much is enough.” For other stakeholders, from regulators and CIP authorities, to investors and insurers, it is difficult to determine the relative capabilities of organisations.

The objective of this project, undertaken by RAND Europe for IAAC and BT, is to derive a benchmark framework for Information Assurance maturity and capabilities in the telecommunications sector.

Insuring Digital Risk: A Roadmap for Action (John Ridd & IAAC)
The insurance industry could become the arbiter of best practice and standards in the management of the risks to which organisations are exposed due to their reliance on Information & Communication Technology. As it has in other sectors, the insurance industry could motivate suppliers to provide insurable products and provide users with clear insurable standards with which to comply. An effective insurance market would be a major step on the way to a market solution to the challenge of managing information risk.