vsRisk
- Getting started
- Creating assets
- Creating a risk assessment
- Asset-based risk assessment
- Getting help
- Renewing and upgrading
Getting started
What is vsRisk?
Fully aligned with ISO/IEC 27001 - 2013, vsRisk is an online tool for conducting an information security risk assessment. With its built-in wizard, you are guided through the step-by-step process of conducting an information security risk assessment.
Users can set their risk acceptance criteria for an assessment and adjust the scales used to measure the likelihood and impact of individual risks. Once they have configured their settings, users will identify risks by selecting assets, threats and vulnerabilities, and record how they will respond to each risk, applying controls as necessary to reduce the risk to an acceptable level. vsRisk can generate the SoA (Statement of Applicability) and a risk treatment plan.
What happens after I purchase vsRisk?
You will receive an automated email with login instructions for CyberComply, the online platform that hosts vsRisk. Once you have followed the login instructions, you can begin your risk assessment.
What is CyberComply?
CyberComply is an online cyber security and compliance platform. It is developed by Vigilant Software and hosts a number of integrated tools, including Compliance Manager, the Data Flow Mapping Tool and vsRisk.
How do I use vsRisk?
When you log into CyberComply, you can navigate to vsRisk by clicking the button on the homepage (also referred to as ‘the dashboard’). This will direct you to an area where you can set up risk assessment groups.
Creating a risk assessment
How do I create a risk assessment?
Navigate to the risk assessments section from the menu at the top of the left-hand block, or by selecting vsRisk from the dashboard. You can create multiple risk assessments in vsRisk, each of which can have custom settings.
How do I configure a risk assessment?
The likelihood and impact scales are used to measure the likelihood of a risk coming to pass and the impact it would have on various aspects of the organisation. You can drag the slider to change the range of each scale and click ‘Edit’ to change the label text for each interval.
How do I change my acceptance criteria?
To configure your criteria, click ‘Edit values’ next to one of the defaults and select which squares in the grid correspond to that criteria, then click ‘OK’. When you are done, click ‘Save’.
Can I edit my impact/likelihood/acceptance criteria in the future?
You can edit this information at any point by selecting ‘Edit’ from the risk assessment’s menu. Please note that editing the settings at a later point may corrupt your assessment data.
Is there a limit to the number of assessments I can create?
No, you are free to create as many assessments as you require.
Creating an asset
How do I create a new asset?
To create an asset, navigate to the assets section using the drop-down menu at the top of the left-hand block. Next, click ‘Create new’. Enter the asset details in the pop-up that appears.
Required asset fields?
Type – Select the type of asset from the drop-down list.
Reference – Enter a descriptive name for the asset. This will appear on the SoA and risk treatment plan.
Operator – Enter the name of the organisation or entity that operates the asset.
Owner – Enter the name or role of the asset owner.
Location – Select the asset’s location from the drop-down list.
Click ‘Save’ to create the asset and ‘Cancel’ to close the pop-up without saving your changes.
To add multiple assets, tick the box next to ‘Add another’ before clicking ‘Save’.
Can I import my own asset register?
Yes. To upload many assets at once, click ‘Import assets’. Click ‘Download Excel template’ in the pop-up window that appears. You can then populate the template with the required fields and import it.
Asset-based risk assessment
Why use an asset-based risk assessment?
For those new to information security risk assessments, the most robust approach to follow when tackling risk assessments is an asset-based methodology. This involves assessing the risks relative to your information assets. Information assets can refer to information in paper-based documents and files, intellectual property, digital information, CDs and storage devices, as well as laptops and hard drives.
How do I start the assessment?
Start by adding a risk. To add a risk to an assessment, click the menu icon next to the relevant assessment in the left-hand panel and click ‘Add’. This will open the risk assessment wizard, which will walk you through all the steps of adding a new risk.
How do I use the risk assessment wizard?
You can navigate through the different steps by clicking the items in the menu running across the top of the screen or by clicking the forward and backward arrows at the bottom of the wizard. If you have already created or uploaded assets in CyberComply, they will be listed in the central panel. You can search for assets by typing in the search bar.
How do I select threats and vulnerabilities?
Select a threat from the list that could compromise the confidentiality, integrity or availability of the asset you have selected. Once you are happy with your selection, click the forward arrow. Repeat the same action to identify vulnerabilities.
How do I assess the risk?
Assess the initial risk to the asset by selecting the point on the grid that best represents the likelihood of the threat-vulnerability combination occurring and what the impact on the confidentiality, availability and integrity of the asset would be.
How do I select a risk response?
Now that you have evaluated the risk posed to your selected asset by a threat-vulnerability combination, you can choose how to respond to the risk from the options provided. A risk can be modified, shared, retained or avoided.
What are the response definitions?
Retain – Decide to retain the risk if it is unlikely to occur, deemed to be low impact or if it is not cost-effective to modify.
Modify – Take steps to reduce or eliminate the risk’s impact and/or likelihood by implementing cost-effective controls.
Share – Engage a third party by means of insurance, outsourcing or service agreements to take over the risk on your behalf.
Avoid – Eliminate the risk. This may require removing the asset concerned or restructuring associated activities/infrastructure.
How do I select controls?
If you chose to modify the risk, you need to select which controls to implement to reduce the risk to an acceptable level. You can search for individual controls from ISO 27001 by typing directly into the search box.
How do I define the residual risk?
Review the residual risk to the asset by selecting the point on the grid that best represents the new likelihood of the threat-vulnerability combination occurring and the impact on the confidentiality, availability and integrity of the asset.
How do I finalise the risk?
To finish assessing the risk, enter the name or role of the individual responsible for managing the risk into the ‘Risk Owner’ field. Assigning a risk owner is a requirement of ISO/IEC 27001:2013.
What reports does vs Risk produce?
Risk treatment plan – To print the risk treatment plan, navigate to the risk assessment you’re interested in and click the report icon next to it.
Statement of Applicability – To generate the SoA, navigate to the ISO/IEC 27001:2013 control set using the drop-down menu at the top of the left-hand panel. Click on the report icon that appears to the right of the screen.
How do I change the status of my controls?
Please refer to our Compliance Manager FAQ page for more information.
Getting help
Is there a user guide?
Yes. If you would like a PDF copy of the user guide, please click here to download.
Is there any training/support available?
Our service centre provides technical support. If you are looking for expert advice on implementing ISO 27001, you can also purchase consultancy support, which is available in a variety of formats.
Can I get consultancy support?
Yes. You can purchase Live Online consultancy by the hour or contact the service centre to discuss your consultancy needs.
Renewing and upgrading
I purchased vsRisk last year but can’t access my account. Why?
Licences for vsRisk expire after one month or one calendar year, depending on the subscription. To renew your licence, please visit our webshop or contact the service centre for more advice.
I’ve bought vsRisk but would like to upgrade to the joint package with Compliance Manager. How do I do this?
Simply purchase a Compliance Manager package from the Vigilant Software webshop or contact the service centre for more advice.
If I have the vsRisk and it’s time to renew, can I switch to the joint package with Compliance Manager?
Yes. You simply need to purchase the appropriate package from the Vigilant Software webshop.
vsRisk manual
Or to get started, follow this link to our quick start guide.