For those new to information security risk assessments, the most robust approach to follow when tackling risk assessments is an asset-based methodology. This involves assessing the risks relative to your information assets. Information assets can refer to information in paper-based documents and files, intellectual property, digital information, CDs and storage devices, as well as laptops and hard drives.
Start with the asset register
The logical starting point is to use your asset register; alternatively you may need to draw up a list of all the assets that could have an impact on your information. This can be done through a series of interviews with asset owners in your organisation.
Threats and vulnerabilities
The next step is to identify the risks – or combinations of threats and vulnerabilities – that can affect those assets.
The ISO 27000 definition of a threat is “potential cause of an unwanted incident, which may result in harm to a system or organization”.
Vulnerability is defined as “weakness of an asset or control that can be exploited by one or more threats”.
Not an easy task
By systematically applying a combination of threats and vulnerabilities for each identified asset, you will be able to come up with a set of risks that apply to each asset. As you can imagine, this can be quite a time-consuming task. Not only must you conjure up different scenarios that could affect your office, desktops, laptops, staff, etc., but you must also try to think carefully about the likelihood of those events coming to pass. This risk calculation must be performed to determine the impact and likelihood of each risk (or any other risk calculation criteria) coming to pass. This will allow you to ascertain whether the risk falls within your risk acceptance criteria or threshold.
Faster solutions to spread sheets
Although some risk assessors still use spreadsheets for completing this task, there are many faster software solutions on the market that will speed up the process dramatically.
One such solution is vsRisk. vsRisk includes built-in threat and vulnerability databases, enabling you to select from a comprehensive list of potential risks. vsRisk also allows you to quickly import your assets from an Excel spreadsheet.
In addition, vsRisk includes a sample risk assessment, letting you see which risks have been applied to which assets, as well as which controls from ISO 27001:2013 have been applied to those risks.
For those who are conforming to ISO 27001, vsRisk is good news. The tool includes all of the ISO 27001:2013 controls, as well as six other control sets (such as the PCI DSS and NIST SP 800 53), and produces an audit-ready Statement of Applicability once complete.
In addition, once you have discovered that you have certain vulnerabilities that need to be addressed, vsRisk integrates with the ISO 27001 Documentation Toolkit. This delivers a full set of policies, procedures and other valuable templates that you can customise and apply to provide documented evidence that a control has been applied. An example of this is an asset disposal policy.
vsRisk is packed with powerful features and facilitates compliance with ISO 27001:2013.