ISO 27001 risk assessments
ISO 27001 is the international standard that sets out the specifications of an information security management system (ISMS), a best-practice approach to addressing information security that encompasses people, processes and technology. The assessment and management of information security risks is at the core of ISO 27001.
How an ISO 27001 risk assessment works
An ISMS is based on the outcomes of a risk assessment. Businesses need to produce a set of controls to minimise identified risks.
Risk assessments are conducted across the whole organisation. They cover all the possible risks that information could be exposed to, balanced against the likelihood of those risks materialising and their potential impact.
Once the risk assessment has been conducted, the company needs to decide how it will manage and mitigate those risks, based on allocated resources and budget.
Seven simple steps to an effective risk assessment
1. Define your risk assessment methodology
These are the rules governing how you intend to identify risks, to whom you will assign risk ownership, how the risk’s impact on the confidentiality, availability and integrity of the information will be measured, and the method of calculating the estimated impact and likelihood of the risk occurring.
2. Compile a list of information assets
An asset-based risk assessment presents a more robust risk assessment process. It will be easiest to work from an existing list of information assets, which includes hard copies of information, electronic files, removable media, mobile devices and intangibles such as intellectual property.
3. Identify threats and vulnerabilities
Identify the threats and vulnerabilities that apply to each asset. For instance, the threat could be ‘theft of mobile device’, and the vulnerability could be ‘lack of formal policy for mobile devices’.
4. Qualify the extent of the risk
Assign impact and likelihood values of the risk coming to pass (based on your risk criteria).
5. Mitigate the risks to reduce them to an agreed, acceptable level
ISO 27001 suggests four ways to treat risks:
- 1. ‘Terminate’ (or avoid) the risk by eliminating it entirely.
- 2. ‘Treat’ the risk by applying security controls.
- 3. ‘Transfer’ the risk to a third party.
- 4. ‘Tolerate’ the risk.
Controls are not just technology
Controls recommended by ISO 27001 are not only technological solutions but also cover people and organisational processes. There are 114 controls in Annex A, covering the breadth of information security management, including such areas as physical access control, firewall policies, security staff awareness programmes, procedures for monitoring threats, incident management processes and encryption.
Controls from Annex A fall into 14 categories:
- A .5 Information security policies.
- A.6 Organisation of information security.
- A.7 Human resources security.
- A.8 Asset management.
- A.9 Access control.
- A.10 Cryptography.
- A.11 Physical and environmental security.
- A.12 Operational security.
- A.13 Communications security.
- A.14 System acquisition, development and maintenance.
- A.15 Supplier relationships.
- A.16 Information security incident management.
- A.17 Information security aspects of business continuity management.
- A.18 Compliance.
6. Compile risk reports
ISO 27001 requires the organisation to produce a set of reports, based on the risk assessment, for audit and certification purposes. The following two reports are the most important:
Statement of Applicability (SoA)
The SoA should set out a list of all controls recommended by Annex A of ISO/IEC 27001:2013, together with a statement of whether or not the control has been applied, and a justification for its inclusion or exclusion.
Risk treatment plan (RTP)
The RTP describes how the organisation plans to deal with the risks identified in the risk assessment.
7. Review, monitor and audit
ISO 27001 requires the organisation to continually review, update and improve the ISMS to make sure it is functioning optimally, and adjusts to the constantly changing threat environment.
One aspect of reviewing and testing is an internal audit. This requires the ISMS manager to produce a set of reports that provide evidence that risks are being adequately treated.
An even more effective way for the company to obtain the assurance that its risk treatment plan is working as intended is by obtaining accredited certification.
Getting certified to ISO 27001
Achieving accredited certification to ISO 27001 demonstrates that an organisation is following information security best practice.
An independent auditor, appointed by an official certification body, will conduct a detailed assessment of the ISMS, interview key staff members, and review various documentation and reports to establish whether there are any conformities that need to be addressed. Based on the outcome of the audit, the company may be able to obtain certification that is valid for three years.
Risk assessment standards
A number of other information security and risk assessment standards support ISO 27001:
- ISO/IEC 27005:2011 – Guidance for information security risk management.
- ISO/IEC 31000:2009 – Risk management – Principles and guidelines provides principles and generic guidelines on risk management
- ISO/IEC 31010:2009 – International standard for risk assessment techniques
Free Risk Assessment and ISO 27001 download
Download now >>
Download this paper to find out more and unravel some of the issues surrounding the risk assessment process.
Let’s get started on your ISO 27001 risk assessment project
IT Governance has the widest range of affordable risk assessment solutions that are easy to use and ready to deploy.
ISO 27001 risk assessment resources