ISO 27001 Risk Assessments

The assessment and management of information security risks is at the core of ISO 27001.

Section 6.1.2 of the ISO/IEC 27001 standard states the ISO 27001 risk assessment procedure must:

• Establish and maintain specific information security risk criteria.
• Ensure that repeated risk assessments “produce consistent, valid and comparable results”.
• Identify risks associated with the loss of confidentiality, integrity and availability of information within the information security management system’s scope.
• Identify the owners of those risks.
• Analyse and evaluate information security risks according to specific criteria.

A risk assessment process that meets the requirements of ISO 27001:2013 should have five steps:

Establish a risk management framework: These are the rules governing how you intend to identify risks, to whom you will assign risk ownership, how the risks impact the confidentiality, integrity and availability of the information and the method of calculating the estimated impact and likelihood of the risk occurring. A formal risk assessment methodology needs to address four issues and should be approved by top management:

• Baseline security criteria
• Risk scale
• Risk appetite
• Scenario- or asset-based risk assessment

Identify risks: Identifying the risks that can affect the confidentiality, integrity and availability of information is the most time-consuming part of the risk assessment process. GRC Solutions recommends following an asset-based risk assessment process. Developing a list of information assets is a good place to start. It will be easiest to work from an existing list of information assets that includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.

Analyse risks: Identify the threats and vulnerabilities that apply to each asset. For instance, the threat could be ‘theft of mobile device’, and the vulnerability could be ‘lack of formal policy for mobile devices’. Assign impact and likelihood values based on your risk criteria.

Evaluate risks: You need to weigh each risk against your predetermined levels of acceptable risk and prioritise which risks need to be addressed in which order.

Select risk treatment options: There are four suggested ways to treat risks:

1. ‘Avoid’ the risk by eliminating it.
2. ‘Modify’ the risk by applying security controls.
3. ‘Share’ the risk to a third party (through insurance or outsourced).
4. ‘Retain’ the risk (if the risk falls within established risk acceptance criteria).

Compiling risk reports based on the risk assessment

ISO 27001 requires the organisation to produce reports based on the risk assessment for audit and certification purposes. The following two reports are the most important:

• Statement of Applicability (SoA) – The SoA should create a list of all controls as recommended by Annex A of ISO/IEC 27001:2013, together with a statement of whether or not the control has been applied and a justification for its inclusion or exclusion.

• Risk treatment plan (RTP) – The RTP describes how the organisation plans to deal with the risks identified in the risk assessment.

ISO 27001 requires the organisation to continually review, update and improve the information security management system (ISMS) to ensure it is functioning optimally and adjusting to the constantly changing threat environment.

One aspect of reviewing and testing is an internal audit. This requires the ISMS manager to produce a set of reports that provide evidence that risks are being adequately treated.

An even more effective way for the organisation to obtain the assurance that its ISMS is working as intended is by obtaining accredited certification.

Speak to us about our internal audit service

An ISMS is based on the outcomes of a risk assessment. Businesses need to produce a set of controls to minimise identified risks.

Controls recommended by ISO 27001 are not only technological solutions but also cover people and organisational processes. There are 114 controls in Annex A covering the breadth of information security management, including physical access control, firewall policies, security staff awareness programmes, procedures for monitoring threats, incident management processes and encryption.

• A.5 Organisational controls
• A.6 People controls
• A.7 Physical controls
• A.8 Technological controls

Risk assessments are conducted across the whole organisation. They cover all the possible risks to which information could be exposed, balanced against the likelihood of those risks materialising and their potential impact. Once the risk assessment has been conducted, the organisation needs to decide how to manage and mitigate those risks, based on allocated resources and budget.