How to write an ISO 27001-compliant risk assessment procedure

As part of your ISO 27001 certification project, your organisation will need to prove its compliance with appropriate documentation.

ISO 27001 says that you must document your information security risk assessment process.

Key elements of the ISO 27001 risk assessment procedure

Clause 6.1.2 of the Standard states that organisations must “define and apply” a risk assessment process.

An information security risk assessment is a formal, top management-driven process and sits at the core of an ISO 27001 information security management system (ISMS).

There are five simple steps that you should take to conduct a successful risk assessment:

  1. Establish a risk management framework
  2. Identify risks
  3. Analyse risks
  4. Evaluate risks
  5. Select risk treatment options

The risk assessment process determines the controls that have to be deployed in your ISMS. It leads to the Statement of Applicability, which identifies the controls that you are deploying in light of your risk assessment process.

Our bestselling book, Nine Steps to Success – An ISO 27001 Implementation Overview, provides more information on the topic of risk management.

Conducting a risk assessment

For an ISO 27001 risk assessment to be successful, it needs to reflect the organisation’s view on risk management – and it must produce “consistent, valid and comparable results”.

The risk assessment procedure should be detailed, and describe who is responsible for each task, when they must be completed and in what order.

This can be a daunting task for many. Inexperienced assessors often rely on spreadsheets, spending hours interviewing people in their organisation, exchanging documents and methodologies with other departments and filling in data. After all that, they’ll probably realise how inconvenient spreadsheets are. For example:

  • They are prone to user error;
  • They are hard to maintain;
  • It’s difficult to find relevant data in multiple tabs; and
  • They don’t automatically conform to ISO 27001

It doesn’t have to be like this. The risk assessment software vsRisk Cloud provides a simple and fast way to identify relevant threats, and deliver repeatable, consistent assessments year after year.

Find out more about vsRisk Cloud

Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.

Additionally, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.

 

Learn more


A version of this blog was originally published on 11 January 2018.