A risk assessment is the process of identifying, analysing and evaluating risk. Carrying out a risk assessment is the only way to ensure that the cyber security controls chosen for your organisation are appropriate to the risks it may face.
Without a risk assessment to inform your cyber security choices, you could be wasting time, effort and resources defending against events that are unlikely to occur or won’t have much impact on your organisation.
The assessment and management of information security risks is at the core of ISO 27001, the international standard that describes best practice for an ISMS (information security management system).
What does a cyber security risk assessment include?
A cyber security risk assessment identifies information assets that could be affected by a cyber attack. This could be hardware, laptops, systems, intellectual property and customer data. The risk assessment will then identify the risks that could affect any of these assets.
Risks are estimated and evaluated, and controls are then selected to treat the identified risks. It is vital to frequently monitor and review your organisation’s risk environment to detect any changes there may be in the context of the organisation and maintain oversight of the complete risk management process.
How to conduct an effective ISO 27001 risk assessment
There are five main steps when conducting an ISO 27001 risk assessment:
1. The first step is to establish a risk management framework. These are the rules that will govern how your organisation will identify risk, who the risk will be assigned to and how the risks will impact the confidentiality, integrity and availability of the organisation’s information. These rules will also include the method of calculating the estimated impact as well as the likelihood of the risk actually occurring. In a formal risk assessment methodology there are four issues that need to be addressed and approved by top management. These are the baseline security criteria, risk scale, risk appetite and the decision to follow a scenario- or asset-based risk assessment methodology.
2. The second step is to identify the risks that could affect the confidentially, integrity and availability of information.
3. The impact and likelihood values should be assigned to each of these risks based on the risk criteria. Impact types could include human, financial, legal, regulatory, reputational and operational. Likelihood factors could include frequency of occurrence, previous occurrence, current levels of security control, size of attack group and knowledge of vulnerability.
4. Once your risks have been analysed, they will need to be evaluated in order to establish where they fit, in terms of your risk appetite. Once this has been done you will be able to decide the appropriate way to treat each risk. This will then enable your organisation to quickly identify the highest risks and create a prioritised list of risks to address.
5. Lastly, you will need to select risk treatment options. There are various different ways to treat risks, which include:
- Avoiding the risk by ending the activity or circumstance that is causing the risk.
- Modifying the risk by applying security controls to reduce likelihood or vulnerability.
- Sharing the risk, by insuring or outsourcing it. Although you would typically still suffer the impact, you can share the risk with someone better able to mitigate it.
- Retaining the risk if it falls within your risk acceptance criteria.
vsRisk™ is an information security risk assessment software tool created by industry-leading ISO 27001 experts. vsRisk saves 80% of the time spent on risk assessments and gives you auditable results year on year.
Fully compliant with ISO 27001, vsRisk streamlines the risk assessment process, delivering consistent and repeatable cyber security risk assessments every time.