7 steps to a successful ISO 27001 risk assessment

At the core of your ISO 27001 information security management system (ISMS) is conducting an information security risk assessment.

What is an information security risk assessment?

An information security risk assessment is the process of identifying, resolving and preventing security problems.

Your organisation’s risk assessor will identify the risks that your organisation faces and conduct a risk assessment.

The risk assessment will often be asset based, whereby risks are assessed relative to your information assets. It will be conducted across the whole organisation.

ISO 27001 is explicit in requiring that a risk management process be used to review and confirm security controls in light of regulatory, legal and contractual obligations.

7 steps to effective ISO 27001 risk management

Conducting a risk assessment can be daunting, but we have simplified the process into seven steps:

  1. Define your risk assessment methodology

ISO 27001 does not prescribe a specific risk assessment methodology. Choosing the correct methodology for your organisation is essential in order to define the rules by which you will perform the risk assessment. The methodology needs to address four issues: baseline security criteria, risk scale, risk appetite, and a scenario-based or asset-based risk assessment.

  1. Compile a list of your information assets

If opting for an asset-based risk assessment, you should work from an existing list of information assets, which includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.

  1. Identify threats and vulnerabilities

Identify threats and vulnerabilities that apply to each asset. For example, the threat could be ‘theft of mobile device’.

  1. Qualify the extent of the risk

Assign impact and likelihood values of the risk occurring.

  1. Mitigate the risks to reduce them to an agreed and acceptable level

ISO 27001 suggest four ways to treat risks: ‘Terminate’ the risk by eliminating it entirely, ‘treat’ the risk by applying security controls, ‘transfer’ the risk to a third party, or ‘tolerate’ the risk.

  1. Compile risk reports

ISO 27001 requires your organisation to produce a set of reports for audit and certification purposes, the most important being the Statement of Applicability (SoA) and the risk treatment plan (RTP).

  1. Review, monitor and audit

ISO 27001 requires your organisation to continually review, update and improve the ISMS to make sure it is working optimally and adjusts to the constantly changing threat environment.

Streamline the risk assessment process

Companies starting out with an information security programme often resort to spreadsheets when tackling risk assessments. Often, this is because they see them as a cost-effective tool to help them get the results they need. There are, however, a number of reasons spreadsheets aren’t the best way to go. Read more about conducting an ISO 27001 risk assessment here.

Excel was built for accountants, and despite being trusted by business professionals for more than 20 years, it wasn’t designed to deliver a risk assessment. Find out more about information security risk assessment tools >>

Fully aligned with ISO 27001, vsRisk™ streamlines the information risk assessment process and helps you produce consistent, robust and reliable risk assessments year-on-year.

vsRisk is a database-driven solution for conducting an asset-based or scenario-based information security risk assessment. It is proven to simplify and speed up the risk assessment process by reducing its complexity and cutting associated costs.

Find out more