The ISO 27001 implementation and review processes revolve around risk assessments. This is where organisations identify the threats to their information security and outline which of the Standard’s controls they must implement.
The process begins by defining a methodology, i.e. a set of rules defining how to calculate risks. Some organisations ignore this step, going straight into the assessment process, but this jeopardises their compliance posture. Without a documented methodology, organisations don’t have a consistent way to measure risks and therefore can’t compare the risks identified in one part of the organisation to another.
What does a risk assessment methodology do?
The main aim of an ISO 27001 risk assessment methodology is to make sure everybody in your organisation is on the same page when it comes to measuring risks. For example, it will state whether the assessment will be qualitative or quantitative. If you didn’t do this, one department’s assessment report might be full of interviews with staff and historical data, while another’s would simply give numbers on a scale.
This would make your results almost useless, because there would be no way to compare them without doing further work.
Methodologies also outline specific terms for an organisation’s:
- Baseline security criteria: the minimum set of defences to fend off risks;
- Risk scale: a universal way of quantifying risk;
- Risk appetite: the level of risk the organisation is willing to accept; and
- Scenario- or asset-based risk management: the strategies to reduce the damage caused by certain incidents or that can be caused to certain parts of the organisation.
What methodology should you use?
ISO 27001 doesn’t prescribe a certain methodology because every organisation has its own requirements and preferences.
This can make defining your methodology a daunting process, but fortunately you don’t have to figure everything out by yourself. IT Governance’s ISO 27001 ISMS Documentation Toolkit provides templates for all the important information you need to meet the Standard’s requirements. It outlines everything you must document in your risk assessment process, which will help you understand what your methodology should include.