This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Hide
Jump to navigation

ISO 27001 Risk Assessments

ISO 27001 is the international best practice standard for an Information Security Management System (ISMS). Conducting an information security risk assessment is at the core of Information Security Management.

Continue reading to find out more about existing risk assessment standards, resources and tools.

To take a trial of vsRisk, the cyber security risk assessment tool, click here.

On this page:

Risk Assessment Standards

An ISMS  which is developed and based on risk acceptance / rejection criteria, and uses third party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. It offers the opportunity to define and monitor service levels internally as well as in contractor/partner organisations by demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.

There are a number of other information security and risk assessment standards that support, or are similar to, ISO 27001 including:

  • ISO27005:2011 (The Information Security Risk Management Standard)
  • BS7799-3 (The British Risk Assessment Standard)
  • ISO/IEC TR 13335-3:1998
  • NIST SP 800-30 and NIST SP 800-53

ISO 27005:2011

ISO 27005:2011 (ISO 27005) provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001. ISO 27005 is designed to assist the satisfactory implementation of information security based on a risk management approach.

Buy the ISO27005 Standard (hardcopy or download) here

Risk Management

In today’s information economy, the protection of information assets – ‘information security' - has become a fundamental board responsibility. Information security management (defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’) is essential for any organisation in both the private and public sectors.

ISO 27001 is a specification that sets out the requirements for an Information Security Management System (ISMS). ISO 27001 explicitly requires the organisation to carry out a risk assessment, and says that risk assessment must be based on agreed risk acceptance criteria, (which are to be used when analysing risk) and that risk assessments must produce consistent, valid and comparable results.

When following an asset-based information security risk assessment methodology, the assessment must, for each asset within scope, identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of that asset - from a business, compliance or contractual perspective.

Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

To build your knowledge of risk assessment and risk management, IT Governance recommends the following books as a sensible starting point:

In order to acquire the necessary skills that will enable you to undertake an asset-based information security risk assessment based on the best practice guidance as outlined in ISO 27005 and to meet the ISO 27001 requirements we recommend the following training courses:

Risk Assessment Tools

It is extremely difficult to carry out an asset-based risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few. IT Governance recommends the following professional information security risk assessment tool which has been specifically designed to carry out a risk assessment that meets the ISO 27001 requirements:

Or

vsRisk is straightforward and quick to use; it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project. 

One consultancy firm told us:

"Why would we want to use this with our clients when it is going to reduce the number of days we can bill them?"

If you want to reduce the number of days your consultants will bill you for, then look no further than vsRisk.

vs Risk helps you perform information security risk assessments quickly and easily

  • Automates and delivers an ISO/IEC 27001-compliant asset-based information security risk assessment;
  • Follows an asset-by-asset risk assessment report
  • Provides a set of 3 pre-populated control sets to choose from: ISO 27001:2013, ISO 27001:2005 or ISO 27032 (cyber security standard)
  • Assesses the confidentiality, integrity and availability in relation to the business, legal and contractual elements of the assets simultaneously
  • Includes a searchable and fully integrated ISO 27005-compliant threat and vulnerability database
  • Delivers a set of exportable and reusable ISO 27001-compliant reports, such as the Statement of Applicability, Risk Comments Report and Risk Treatment Plan
  • Customisable risk acceptance threshold and risk management scales
  • Easy to use and simple user interface

Navigation Screen - Click to zoom >>

vsAsset Monitor - Click to zoom >>

Assessment Screen - Click to zoom >>

User interface: Enables user to select the CIA and the BLC for the relevant asset

 Produces an ISO 27001-compliant Statement of Applicability

 Produces and ISO 27001-compliant Risk Treatment Plan

vsRisk has been designed with the user in mind, empowering the user to comply with the requirements of ISO 27001 and effectively assess and align their total information assets with their objectives.


BUY ISO27001 TRAINING

ISO27001 Certified ISMS Lead Implementer Masterclass

Buy now

+44 (0) 845 070 1750
live chat support software