Expert Insight into Pragmatic ISO 27001 Risk Assessments

Keeping it simple

Andrew Pattison has 30 years’ experience in information security and risk management, having worked in GRC (governance, risk and compliance) since 1994. He holds an MSc in Information Systems Management, as well as CISM® and CRISC® certifications.

Now, he’s the head of GRC consultancy at IT Governance Europe, where, among other responsibilities, he leads our ISO 27001 training courses.

In our previous interview, Andrew said: “Contrary to common belief, ISO 27001 is not prescriptive – it is pragmatic.”

We asked him to elaborate.


Why does ISO 27001 tend to be pragmatic, and why do most people not realise this?

Most people don’t truly understand that, fundamentally, ISO 27001 takes a risk-based approach.

That misunderstanding is probably fuelled by the typical approach taken by ISMS implementers, who often prioritise certification. To be clear: that doesn’t mean they’re not looking at risk, but in their desire to help the organisation achieve ISO 27001 certification, they may well give the impression that the Standard’s clauses are very rigid by saying things like ‘you must do X to get certified’.

What would be the alternative to this rigid approach?

You could simply go through the organisation’s SoA [Statement of Applicability] and, based on risk, exclude controls not applicable to you. Or you can write your own controls, if needed, to properly address your risks.

But, as a rule, implementers don’t tend to do this. They instead opt for that ‘you must do X’ approach because, in their minds, this guarantees certification. It’s what previously worked for them. This is the typical way of doing their job: trying to get the result that their organisation or client wants.

Not all organisations implement an ISMS based on that risk-based principle, because they’re aware of, ironically, the risk of an external auditor looking less favourably on taking such an approach – even if they shouldn’t, based on the Standard’s own requirements.

However, auditors audit against the requirements of the Standard and your ISMS. As such, your control selection can be based on risk, so long as you can justify why you excluded any controls.

Do you have any tips on risk assessment and taking a risk-based approach to implementation?

First, be clear on what a risk is:

  1. You have to have a vulnerability.
  2. There has to be a threat to that vulnerability.
  3. Somebody or something has to be willing to exploit that vulnerability.

For a risk to materialise, you need all three – it’s not just having a vulnerability, but also about whether a threat could and would exploit it.

Furthermore, people tend to worry about obscure risks that don’t have a history of causing problems. Even if someone could think of an instance where it did cause one, there probably wasn’t much the organisation could’ve realistically done about it anyway.

It’s not that these aren’t risks – they are, but if you can’t think of an example of that risk materialising in the real world, then you’re better off worrying about something else.

Organisations often fret over niche technical risks or vulnerabilities, which I think is at least partially driven by vendors or journalists sensationalising them. But the organisation then fails to worry about the fact that they’re not, for example, rolling out staff awareness training to their hundreds or even thousands of employees. Awareness training is something you can actually do something about, and very cost-effectively, too.

You can’t be driven by the news. Organisations must look at their own risk profile. Forget about the exciting stuff – you’ll be better off by keeping it simple. And it costs less, too!

How can organisations keep their risk assessments simple and manageable?

I favour very simple risk matrices and other approaches to risk. ISO 27005 is very good at this – its essence is very simple, though it can still be made more complicated than necessary.

I always try to pull things back to being simple. The only two things you’re really trying to figure out are:

  1. What do I actually need to worry about?
  2. How do I address those worries?

If you can answer those questions in, say, six or seven risk assessments – brilliant. You really don’t need to be doing 200 complicated things, because that won’t tell you what you need to know.

I’ve seen organisations getting very mathematical with their risk measurements and producing very complicated risk statements. When I then ask what that actually tells them about their risks, and how they manage them, I often hear ‘I don’t know’.

Organisations need to be able to point at something and say: ‘That’s what I need to focus on. That’s where my real risk lies, which I really need to do something about. Everything else is just noise.’

But people can only do this if they keep it simple. And that’s easier said than done, because every time you properly look at and address your risks, that tends to push you into making things more complicated. That’s just the nature of these processes.

So, when I’m working with clients, I do my best to push them back to the basics, and help them make things as simple as possible.

What else do you do when working with a client on their ISO 27001 risk assessment?

My mindset is that I’m not there to do the assessment for the client. Rather, I guide them through the process so that they can complete the assessment for themselves. Because I don’t know what their risks are! Risk is personal – it’s about linking them back to the ISMS and business objectives.

If you define your business objectives, then ask yourself what the business risks are of those objectives not being fulfilled from an IT point of view – for example, because a key server is unavailable – it’s also very easy to justify your controls. You might say that they justify themselves.

Why do you feel so strongly about actively involving the client in the risk assessment process?

I technically could do the risk assessment on the client’s behalf on my own, and make it look good on paper.

But that would be about as useful as a chocolate teapot – looks nice to start with, but ultimately of little real use. Having a third party conduct your risk assessment doesn’t enable you to understand your own risks.

Interviewer note: This ties in well with an interview I conducted earlier this week with Group CEO Alan Calder. He said: “ISO 27001 isn’t just a security investment. It’s a business investment with long-term business benefits that go far beyond preventing the bad press associated with a breach.”


Keen to reduce errors and improve completeness of your risk management processes?

CyberComply is a Cloud-based, end-to-end solution that simplifies compliance with a range of cyber security and data privacy standards and laws, including ISO 27001.

This SaaS platform will help you manage all your cyber security and data privacy obligations in one place. You’ll gain immediate visibility into critical data and key performance indicators, and stay ahead of regulatory changes.


We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back next week, chatting to another expert within the Group.

In the meantime, if you missed it, check out Wednesday’s interview, where Alan Calder gave us his expert insights into ISO 27001 and its business and regulatory value.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.