An ISO 27001 risk assessment helps organisations identify, analyse and evaluate weaknesses in their information security processes. It’s a core part of ISO 27001 compliance, informing organisations’ decisions regarding the risks that must be addressed and how they should be tackled.
Getting the risk assessment process right is obviously important, but you must remember that it’s only the first step towards effective security. Once you’ve completed the assessment, you must report on your findings and implement a plan of action.
Risk assessment reports
You must produce several reports based on your risk assessment for audit and certification processes. The following two are the most important:
- SoA (Statement of Applicability)
An SoA documents the relevance of each of ISO 27001’s controls to your organisations. It should contain a list of controls that you will or won’t implement, along with an explanation of why they have or haven’t been selected. (Remember, you only need to apply a control if it will mitigate a risk that you’ve identified.)
You should also state your level of progress in implementing the control. This could be a simple ‘done/not done’ checkbox, or you could go into more detail, explaining whether you have a plan, are waiting for further guidance, have begun work, and so on.
Lastly, you must explain why any omitted controls were deemed irrelevant.
- RTP (risk treatment plan)
An RTP provides a summary of each identified risk, the responses that have been designed to deal with the risk, the parties responsible for those risks and the target date for applying the risk treatment.
Dealing with risk doesn’t necessarily mean eliminating it. Depending on the circumstance, you might be better off modifying the risk by applying security controls, sharing the risk with a third party (whether that’s an insurer or another third party) or retaining the risk (if you decide that the likelihood or severity of the risk doesn’t justify the cost of implementing the relevant controls).
What else should you document?
Additional documents will help when auditing your SoA and RTP. You should consider producing:
- A risk assessment report, providing an overview of the assessment, including relevant assets, the treatment applied, and the estimated impact and probability of each risk;
- A risk summary report, detailing the residual risk, i.e. the risks that remain after risk treatment; and
- A comments report, attached to your risk assessment, to explain your decisions in more detail.
How secure is your organisation?
Those who want to know how effective their organisation is at identifying and dealing with risks should take our cyber security self-assessment. This short questionnaire asks you about your defence measures and suggests ways for you to become more secure.