ISO 27001 risk assessments
ISO 27001 is the international standard that sets out the specifications of an information security management system (ISMS), a best-practice approach to addressing information security that encompasses people, processes and technology. The assessment and management of information security risks is at the core of ISO 27001.
How an ISO 27001 risk assessment works
An ISMS is based on the outcomes of a risk assessment. Businesses need to produce a set of controls to minimise identified risks.
Controls recommended by ISO 27001 are not only technological solutions but also cover people and organisational processes. There are 114 controls in Annex A covering the breadth of information security management, including areas such as physical access control, firewall policies, security staff awareness programmes, procedures for monitoring threats, incident management processes and encryption.
Five simple steps to an effective ISO 27001 risk assessment
A risk assessment process that meets the requirements of ISO 27001:2013 should have five steps:
Establish a risk management framework
These are the rules governing how you intend to identify risks, to whom you will assign risk ownership, how the risks impact on the confidentiality, integrity and availability of the information, and the method of calculating the estimated impact and likelihood of the risk occurring. A formal risk assessment methodology needs to address four issues and should be approved by top management:
- Baseline security criteria
- Risk scale
- Risk appetite
- Scenario or asset-based risk assessment
Identifying the risks that can affect the confidentiality, integrity and availability of information is the most time-consuming part of the risk assessment process. IT Governance recommends following an asset-based risk assessment process. Developing a list of information assets is a good place to start. It will be easiest to work from an existing list of information assets that includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.
Identify the threats and vulnerabilities that apply to each asset. For instance, the threat could be ‘theft of mobile device’, and the vulnerability could be ‘lack of formal policy for mobile devices’. Assign impact and likelihood values based on your risk criteria.
You need to weigh each risk against your predetermined levels of acceptable risk, and prioritise which risks need to be addressed in which order.
Select risk treatment options
There are four risk responses to choose from:
- ‘Terminate’ the risk by eliminating it completely.
- ‘Treat’ the risk by applying security controls.
- ‘Transfer’ the risk to a third party (via outsourcing or insurance).
- ‘Tolerate’ the risk (if it falls within your established risk acceptance criteria).
Compile risk reports
ISO 27001 requires the organisation to produce a set of reports, based on the risk assessment, for audit and certification purposes. The following two reports are the most important:
- Statement of Applicability (SoA) - All organisations seeking ISO 27001 certification must produce a list of all controls from Annex A of the Standard, together with a statement justifying either the inclusion or exclusion of each control.
- Risk treatment plan (RTP) - On the basis of your risk assessment, your risk treatment plan describes how your organisation intends to address the risks identified.
Review, monitor and audit
Continual improvement is a requirement of ISO 27001, which means that organisations need to continually review, update and improve the ISMS (information security management system) to ensure its optimal functioning and efficacy protecting your information assets from external and internal threats.
Internal audit provides one method of continual review. An internal audit produces a set of reports to demonstrate that risks are being appropriately treated.
Controls from Annex A fall into 14 categories:
- A.5 Information security policies.
- A.6 Organisation of information security.
- A.7 Human resources security.
- A.8 Asset management.
- A.9 Access control.
- A.10 Cryptography.
- A.11 Physical and environmental security.
- A.12 Operational security.
- A.13 Communications security.
- A.14 System acquisition, development and maintenance.
- A.15 Supplier relationships.
- A.16 Information security incident management.
- A.17 Information security aspects of business continuity management.
- A.18 Compliance.
Risk assessments are conducted across the whole organisation. They cover all the possible risks to which information could be exposed, balanced against the likelihood of those risks materialising and their potential impact. Once the risk assessment has been conducted, the company needs to decide how it will manage and mitigate those risks, based on allocated resources and budget.
Risk assessment standards
A number of other information security and risk assessment standards support ISO 27001:
- ISO/IEC 27005:2011 – Guidance for information security risk management.
- ISO/IEC 31000:2009 – Risk management principles and guidelines.
- ISO/IEC 31010:2009 – International standard for risk assessment techniques
Free: Risk assessment and ISO 27001 green paper
Download this paper to find out more and unravel some of the issues surrounding the risk assessment process.
Let’s get started on your ISO 27001 risk assessment project
IT Governance has the widest range of affordable risk assessment solutions that are easy to use and ready to deploy.
ISO 27001 risk assessment solutions
Speak to an expert
If you’re looking for guidance or support, we’re here to help. Request a call back from one our ISO 27001 experts or contact our customer service team for further information.