OSG blk resposnive.png

Enterprise Security Risk Management

Enterprise Security Risk Management (ESRM)


Our Enterprise Security Risk Management (ESRM) methodology is the cornerstone of our converged security offering. ESRM is the framework that describes what we do and how we do it. It is focused on ensuring the correct controls are correctly deployed and monitored to deliver the appropriate level of security for an organisation. It is consistent with Enterprise Risk Management (ERM) concepts and aligned to the ISO 31000 Risk Management Standard.


ESRM is the management of any security risk using established risk principles, and includes the following five steps. These steps form a continuous loop for improved risk management:


1. Identify and prioritise assets

Includes the process of identifying and prioritising the enterprise’s assets (people, customers, processes, information, facilities, reputation, regulatory obligations, etc.). Involves engagement and collaboration within the Security Partnership to understand their value and importance to enterprise mission and goals.


2. Identify and prioritise risks

Involves understanding the relationship of risks to the value of assets. Identifies probability and potential impact of risk on an asset, and the vulnerability of assets to security threats, including an assessment of existing security controls. Informs the development of the security solution.


3. Mitigate the risks

Encompasses the identification and deployment of the security (including protective security, electronic security, personnel security and information security) solution.


4. Incident response

Includes incident response, crisis management and fraud/forensic/insider threat investigations relating to a risk that has been realised and has resulted in a breach of existing security controls.


5. Ongoing risk assessment

Continuous/periodic monitoring of the changing risk landscape, including the identification and assessment of new enterprise objectives, risks, assets and vulnerabilities, and the reassessment of existing objectives, risks, assets and vulnerabilities, the external and internal risk context, and the condition, efficacy and performance of security controls.


Ultimately, ERSM can help provide the complete picture of threats facing an organisation and then address these risks by implementing the appropriate controls and maintaining compliance with relevant external standards and guidelines (ISO27000, PSR, NIST, ASD-E8, etc).


Mapping our solutions to ESRM


The ESRM framework enables us to present our customers with an overview which puts them at the core of a holistic view of the risks they face, and the strategies and controls that can be recommended and deployed by Optic to mitigate these and protect their customers, information and people. 


Optic structures its operations and security risk solutions according to the above five-step framework. The following table illustrates this with a small selection of our services:

Identify Assets
Identify Risks
Mitigate Risks
Incident Response
Ongoing Assessment
Security Vulnerability Assessment
Converged Security Risk Assessment
Security System Design
Business Continuity Plan
Periodic Site Security Audit
Risk Management Plan
Security System Installation
Alarm Monitoring Response
Asset Management Plan
Threat and Risk Assessment
Service and Maintenance
Security Operations Centre
Service and Maintenance Plan
Cyber Intelligence Centre
Cloud Hosted Enterprise Security Services
Threat and Risk Assessment Reviews

Structuring our solutions on the ESRM framework assures our customers that the security solutions we recommend and install are commensurate to the risks they are designed to mitigate, fit-for-purpose, responsive to change, regularly serviced and future-proof.



For a no obligation discussion about how our Enterprise Security Risk Management approach can make your organisation more resilient to security risk, contact us today.