The Organizational risk assessment (ORA) provides the easiest way to get started with risk assessments in Diri. The Diri ORA asks you to briefly describe the parts of your organization that impact cybersecurity, such as Industrial Classification, number of employees, internal and external requirements, and key business products and deliveries. In short, it is a strategic risk assessment of your business.
The ORA is a tool for staking out the direction of the risk management program together with the key stakeholders and decision-makers in your organization.
The ORA allows you to conduct a risk assessment of overarching and strategic risks that are not bound to one system. The ORA in Diri har two strategic purposes: to quickly identify the business-critical ICT systems and register them in the Diri portfolio. The best way to achieve this goal is to discuss the business value chain and how ICT systems support the core business processes. This discussion will flush out several critical ICT systems, but not all: Some of the domain knowledge resides with the IT experts, so be sure to include them in the discussion.
Like quickly establishing ICT systems, the ORA also allows you to rapidly list all your existing global security controls. A global security control is a treatment that affects risks on more than one system. Examples of such controls are security guidelines, firewalls, and single sign-on solutions.
The second purpose of the ORA is to stake out the direction of the risk management program. The ORA asks for the most significant cybersecurity concerns of the organization; these will be added to the ORA and can be used for direction in future risk assessments in the organization. For example, if ransomware is the key concern, this risk should be inherited into all risk assessments. The same goes for information assets, where business-critical assets can be identified and added in the ORA and re-used throughout the organization.
(Re-use of risks and assets in Diri currently requires that the ORA is shared with other users)
If you are ready to do your first risk assessment in your organisation, the ORA should be your go-to choice. It would be best to use the ORA to define critical risks for the organisation and quickly populate the ICT systems portfolio and existing treatment list.
The ORA is also the best choice if you need to do an overarching cybersecurity audit in your organisation.
Choose the ORA using the Diri helper on the Dashboard. Fill out the requested information and spend time on:
The fields for adding IT systems, risks, assets, and controls, illustrated below, are currently only available through the ORA form. Both of which are essential for the relevance of the risk assessment results. Make sure to make good use of them.