As Ekaterina (Katja) Zuckermann formulates well, risk is contextual and without understanding the full context typically you end up with a faulty compliance control catalogue validation rather than a risk assessment.
What I’ve found useful is to start the discussion with stakeholders understanding the system properties, preferably documented in a security concept that’s widely used in military classified systems, however not typically found in commercial enterprises.
You might have a technical architecture, system components, business process workflows out of the wazoo but not a concept that shows the context of the system, threats, risk and controls that actually matter.
And what follows is a journey of discovery and mutual understanding for both me and the stakeholders responsible for owning, building, running or managing the systems for what really matters, including integration of enterprise security controls.
So it’s always a pleasure to discuss well formulated system risk scenarios with stakeholders that also have the best insight from business perspective for what matters the most.
Stakeholders themselves actively participate in these risk discussions and set priorities from a business perspective.
For me it’s a win-win. I get to learn the core of the business system context, they understand better the system business related risk and can decide what to accept or not, what to invest in or not.
Security concepts contain both principles and patterns that can be reused. This enables enterprises to promote certain standards for different types of systems.
Related reading: System Security Concepts Article Series, a deep dive into implementing security concepts within enterprise ISMS frameworks, from foundational principles to practical templates.
Inspired by: Ekaterina (Katja) Zuckermann’s post on GRC and audit functions
Connect: Follow for more insights on security governance and risk management on LinkedIn • Mastodon • Bluesky