Risk assessments are one of the most important parts of an organisation’s ISO 27001 compliance project. It’s impossible to prepare for every risk that you might be vulnerable to, so you should use the assessment stage to gauge your biggest priorities.
Performing a risk assessment can be tricky, but this blog simplifies the process by breaking it down into five simple steps.
Establish a risk management framework
These are the rules governing how you intend to identify risks; who you assign risk ownership to; how the risks affect the confidentiality, integrity and availability of the information; and the method of calculating the estimated damage of each scenario and the likelihood of it occurring.
A formal risk assessment methodology needs to address four issues:
- Baseline security criteria
- Risk scale
- Risk appetite
- Scenario- or asset-based risk assessment
Identifying the risks that can affect the confidentiality, integrity and availability of information is the most time-consuming part of the risk assessment process.
We recommend following an asset-based approach. Developing a list of information assets is a good place to start, but if you can find an existing list, most of the work will be done.
You must identify the threats and vulnerabilities that apply to each asset. For instance, if the threat is ‘theft of mobile device’, the vulnerability is ‘lack of formal policy for mobile devices’.
After you’ve done this, you should assign impact and probability values based on your risk criteria.
You need to weigh each risk against your predetermined levels of acceptable risk (i.e. your risk appetite), and determine which risks you need to address and which ones you can ignore.
Select risk treatment options
There are four ways you can treat a risk:
- Avoid the risk by eliminating it entirely
- Modify the risk by applying security controls
- Share the risk with a third party (through insurance or by outsourcing it)
- Retain the risk (if the risk falls within established risk acceptance criteria).
Learn more about risk assessments
We provide a more detailed breakdown of these steps in our free green paper: Risk Assessment and ISO 27001. It also explains:
- The relationship between ISO 27001 and ISO 31000, the international standard that describes best practices for risk management;
- Things to avoid when performing a risk assessment;
- The importance of risk assessments to the ISO 27001 Statement of Applicability; and
- How to make your risk assessments as cost-effective as possible.
Those looking for hands-on help conducting a risk assessment should take a look at our risk assessment software, vsRisk™. It provides a simple and fast way to identify relevant threats, and delivers repeatable, consistent assessments year after year.
Its integrated risk, vulnerability and threat database eliminates the need to compile a list of potential risks, and the built-in control helps you comply with multiple frameworks.