Can Security Baselines replace Risk Analysis?

Abstract

To protect the information systems of an organization an appropriate set of security controls need to be installed and managed properly. Many organizations that can afford it conduct either a risk analysis exercise themselves or outsource the process to some consultant. Through such an exercise, the most effective set of controls are recommended. Organizations that cannot afford a risk analysis exercise or cannot conduct it themselves, install controls on an ad hoc basis, with the result that many important business areas might be under protected and vice versa. Security baselines have provided some guidelines to these organizations on which controls are, under general circumstances, the most effective to install to provide an acceptable level of protection. If an organization requires a higher level of protection in certain areas, a risk analysis can be conducted in those particular areas. As security baselines improve, the need for a further risk analysis will obviously decrease. Will a situation arise where security baselines are so extensive that no need exists for any further risk analysis exercise?