Risk assessments are at the core of any organisation’s ISO 27001 compliance project.
They are essential for ensuring that your ISMS (information security management system) – which is the result of implementing the Standard – addresses the threats comprehensively and appropriately.
What is an information security risk assessment?
In the context of information risk management, a risk assessment helps organisations assess and manage incidents that have the potential to cause harm to your sensitive data.
The process involves identifying hazards – whether they are vulnerabilities that a cyber criminal could exploit or mistakes that employees could make.
You then determine the level of risk they present and decide on the best course of action to prevent them from happening.
So, how should you get started?
How to conduct an ISO 27001 risk assessment
Risk assessments can be daunting, but we’ve simplified the process into seven steps:
1. Define your risk assessment methodology
ISO 27001 doesn’t prescribe a single, set way to perform a risk assessment. Instead, you should tailor your approach to the needs of your organisation.
To do this, you need to review certain things. First, you should look at your organisation’s context.
This consists of your legal, regulatory and contractual obligations, your objectives both concerning information security and business more widely, and the needs and expectations of its stakeholders.
Next, you should look at the risk criteria. This is an agreed way of measuring risks, usually according to the impact they will cause and the likelihood of them occurring.
These need to be clearly defined and widely understood so that any two risk assessments produce comparable results.
Finally, you need to determine your risk acceptance criteria. You can’t eradicate every risk you face, so you must decide the level of residual risk you are willing to leave unaddressed.
2. Compile a list of your information assets
ISO 27001 gives organisations the choice of evaluating through an asset-based approach (in or a scenario-based approach.
Although each have their pros and cons, we generally recommend taking an asset-based approach – in part because you can work from an existing list of information assets.
This includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.
3. Identify threats and vulnerabilities
Once you’ve created your list of information assets, it’s time to determine the risks associated with them.
For example, when analysing work-issued laptops, one of the risks you highlight will be the possibility of them being stolen. Another will be that, when in a public place, employees might use an insecure Internet connection or someone might see sensitive information on their screen.
4. Evaluate risks
Some risks are more severe than others, so at this stage, you need to determine which ones you need to be most concerned about.
This is where your risk criteria come in handy. It provides a guide that helps you compare risks by assigning a score to the likelihood of it occurring and the damage it will cause.
By evaluating the risks in this way, you get a consistent and comparable assessment of the threats your organisations face.
ISO 27001 doesn’t state how you should score risks – whether that’s high to low, 1 to 5, 1 to a 100 or otherwise. It doesn’t matter as long as everyone responsible for evaluating risks uses the same approach.
5. Mitigate the risks
There are four ways that organisations can treat risks:
- Modify the risk by applying security controls that will reduce the likelihood of it occurring and/or damage it will cause.
- Retain the risk – accept that it falls within previously established risk acceptance criteria, or via extraordinary decisions.
- Avoid the risk by changing the circumstances that are causing it.
- Share the risk with a partner, such as an insurance firm or a third party that is better equipped to manage the risk.
ISO 27001 requires all risks to have an owner who will be responsible for approving any risk treatment plans and accepting the level of residual risk. The person who owns risk treatment activities may be different from the asset owner.
6. Compile risk reports
Next comes the documentation process, which is necessary for audit and certification purposes.
Clause 6.1.3 of the Standard states an SoA must:
- Identify which controls an organisation has selected to tackle identified risks;
- Explain why these have been selected;
- State whether or not the organisation has implemented the controls; and
- Explain why any controls have been omitted.
Every control should have its own entry, and in cases where the control has been selected, the SoA should link to relevant documentation about its implementation.
7. Review, monitor and audit
ISO 27001 requires your organisation to continually review, update and improve the ISMS to make sure it is working as its intended.
You will need to repeat the assessment process annually to make sure you’ve accounted for changes in the way your organisation operates and for the changing threat environment.
You should also use the opportunity to look for ways in which your ISMS can be improved. This might involve using a different control to address a risk or by switching to a different risk treatment option altogether.
Learn more about risk assessments
You can find out more about each of these steps in our free green paper: Risk Assessment and ISO 27001. It explains:
- The relationship between ISO 27001 and ISO 31000, the international standard that describes best practices for risk management;
- Things to avoid when performing a risk assessment;
- The importance of risk assessments to the ISO 27001 Statement of Applicability; and
- How to make your risk assessments as cost-effective as possible.
Those looking for hands-on help conducting a risk assessment should take a look at our risk assessment software, vsRisk™.
It provides a fast and straightforward way to identify relevant threats and delivers repeatable, consistent assessments year after year.
Its integrated risk, vulnerability and threat database eliminate the need to compile a list of potential risks, and the built-in control measures help you comply with multiple frameworks.
A version of this blog was originally published on 19 September 2017.