Risk assessments are the most important part of any ISO 27001 project. They help you determine how to get your ISMS in order and keep it that way. This is the core of your information security management system, which is what you get when you implement the Standard.
What is an information security risk assessment?
When you look at the bigger picture of an information security management system, your first step is to look for risks. A risk assessment is a tool used to assess and manage incidents that have the potential to cause harm to your sensitive data. Your first step is to identify vulnerabilities that a cyber criminal could exploit or mistakes that employees could make. Then you determine the risk level and decide on the best course of action to prevent them from happening.
How to conduct an ISO 27001 risk assessment
Risk assessments can be complicated. The ISO 27001 risk assessment process is actually pretty simple. Just follow these seven steps:
1. Define your risk assessment methodology
There is no one-size-fits-all ISO 27001 risk assessment. Instead, you should tailor your approach to the needs of your business. To do this, ask yourself some questions about your company. What are the security standards expected by law? What are your company’s objectives? What are its needs and expectations?
Next, you should look at the risk criteria. It’s the agreed way of measuring risks. This measurement should be based on the impact of risks and likelihood. These need to be clearly defined and understood by everyone so that any two risk assessments produce a comparable result.
Finally, you need to decide how much risk you are willing to take. You cannot eliminate all the risks associated with your business. You must decide if you are willing to accept some residual risk in your business.
2. Compile a list of your information assets
ISO 27001 is a great way to evaluate information security. It offers two options for assessment: asset-based or scenario-based. Although each has its benefits, I generally recommend going with the asset-based approach. With this method, you can focus on information assets that already exist in your company. These include hard copies of data, electronic files, memory sticks, mobile devices, and intangible assets like intellectual property.
3. Identify threats and vulnerabilities
Once you’ve compiled your list of information assets, you must determine the risks associated with them. For example, when analysing work-issued laptops, one of the risks you highlight will be that they might be stolen. Another will be that employees might use an insecure Internet connection in public places, or that they might see sensitive information on their screens.
4. Evaluate risks
If you’ve never established your own criteria, then you need to do that first. The risk criteria is a helpful tool that allows you to evaluate risks by assigning a score to the likelihood of it occurring and the damage it will cause. By evaluating the risks in this way, you get a consistent and comparable assessment of the severity of each risk.
ISO 27001 doesn’t state how you should score risks – whether that’s high to low, 1 to 5, 1 to a 100 or otherwise. It doesn’t matter as long as everyone responsible for evaluating risks uses the same approach.
5. Mitigate the risks
One of the most important requirements of ISO 27001 is to assign a person to handle risk. This person is responsible for accepting the residual risk. He may be different from the person who handles the main asset.
There are four ways that organisations can treat risks:
- Modify the risk by applying security controls to reduce the likelihood of it occurring and/or damage it will cause.
- Retain the risk – accept that it falls within previously established risk acceptance criteria or via extraordinary decisions.
- Avoid the risk by changing the circumstances that are causing it.
- Share the risk with a partner, such as an insurance firm or a third party that is better equipped to manage the risk.
6. Compile risk reports
Next comes documentation. This is necessary for audit and certification purposes. The most important document you must have for audit and certification is your risk treatment plan, or RTP, which documents the decisions you made regarding risk treatment. Clause 6.1.3 of the standard states that an SoA must:
- Identify which controls an organization has selected to tackle identified risks;
- Explain why these have been selected;
- State whether or not the organization has implemented the controls; and
- Explain why any controls have been omitted.
The SoA should link to relevant documentation about the control’s implementation. If a control has been selected, the SoA should have an entry for it.
7. Review, monitor and audit
With ISO 27001, your business is required to constantly review and improve its cyber security measures. To improve your ISMS, you must repeat the assessment process every year. Change is inevitable and you must be ready for it. This is the perfect time to make sure that your controls are addressing the risks properly, and to look for ways to improve your ISMS.