Key Preparations for a Successful Security Risk Assessment Project

Conducting a thorough security risk assessment is a critical step in strengthening an organization's defenses. Prior to the on-site arrival of the assessment team, several preliminary tasks must be completed to ensure the process runs efficiently. These tasks include introducing the team, obtaining necessary permissions, and reviewing available data and documentation.

1. Introducing the Team

Establishing a strong foundation is key to any project’s success. Introducing the security risk assessment team to the client organization is vital for building trust and ensuring transparency. Whether the client is already familiar with the team or meeting them for the first time, formalizing this introduction—either through a project kickoff call or a detailed letter—sets a professional tone and ensures all parties are on the same page.

In this introduction, it’s important to share the credentials of the assessment team and key contact information. This gives the client confidence in the professionalism and expertise of the team. A kickoff meeting or call helps both parties understand the project’s scope and the timeline for on-site assessments.

2. The Importance of Open Communication

In certain rare cases, organizations may request a security assessment to be conducted covertly to avoid alerting staff. While this can provide insight into real-world security measures without bias, it is not a typical approach. For most assessments, open collaboration with personnel is crucial. Involving staff in interviews and data gathering strengthens the overall assessment by offering detailed insights and fostering a partnership atmosphere.

3. The Introductory Letter

An introductory letter is often the first formal communication between the team and the client. It lays out the project’s framework and key details such as:

• Points of Contact: Essential for keeping communication lines open, both for the client and the assessment team.
• Reference to the Statement of Work (SOW): Ensures both parties have clarity on the project’s objectives and scope.
• Project Dates: Outlines when on-site activities will take place and when the project is expected to conclude.
• Data Requests: Lists any documents or data needed from the client to prepare for the assessment, such as security policies, network diagrams, or previous risk assessments.
• On-Site Requirements: Details the physical and technical access the team will need, from workspace setups to system access permissions.

4. Project Kickoff Call

A kickoff call can provide a more interactive and engaging introduction to the assessment project. Though it may require coordination of schedules, it offers an opportunity for immediate clarification of any questions or concerns and helps to foster a collaborative approach. The agenda typically mirrors that of the introductory letter but with added opportunity for discussion.

5. Pre-Assessment Briefing: Setting Expectations

A pre-assessment briefing is crucial for establishing clear expectations with the client. By communicating openly, the organization will understand the purpose of the risk assessment and what outcomes to anticipate. This meeting should highlight that the assessment isn’t meant as a scorecard or judgment but as a foundational tool for planning improvements.

• Not a Scorecard, but a Planning Tool: Emphasize that the results should not be taken as a reflection of staff performance but rather as an indicator of where resources, such as budget and personnel, may need to be allocated.
• First Step in Risk Management: Help the client see how the assessment fits into the broader context of their security strategy.
• Numerous Findings are Normal: Reassure the organization that multiple findings—both large and small—are typical and part of the process.
• No Quick Fixes: Not all recommendations will be easily or immediately actionable. While some issues may require urgent attention, others will require longer-term strategic planning.

6. What the Team Needs to Know

Finally, the pre-assessment briefing offers an opportunity for the organization to share critical information that could influence the assessment. Open-ended questions from the assessment team can prompt the client to share useful details such as upcoming events, changes in security infrastructure, or any special considerations for the on-site visit.

By laying out these foundational steps clearly and proactively, organizations can ensure a smooth, productive, and successful security risk assessment project that yields actionable insights for future security improvements.

Discussion summarized and modified from The Security Risk Assessment Handbook.

Contact Lantego for information on how we improve your security risk assessment needs. [email protected]