Risk assessments are at the core of any organisation’s ISO 27001 certification and compliance project. They are essential for ensuring that your Information Security Management System (ISMS) is relevant to your organisation’s needs. Below is a brief introduction of what you need to know.
What is an information security risk assessment?
The processes of information security risk assessment are identifying, resolving and preventing security problems.
You identify the risks in your organisation and risk assess. This will often be asset based, whereby risks are assessed relative to your information assets. This will be conducted across the organisation.
ISO 27001 is explicit in requiring that a risk management process be used to review and confirm security controls in light of regulatory, legal and contractual obligations.
The next step is to conduct an ISO 27001 risk assessment.
Below are steps that simplify the process:
1. Define your risk assessment methodology.
ISO 27001 does not prescribe a specific risk assessment methodology. Choosing the correct methodology for your organisation is essential in order to define the rules by which you will perform the risk assessment. The methodology needs to address four issues: baseline security criteria, risk scale, risk appetite, and a scenario-based or asset-based risk assessment.
2. Compile a list of your information assets.
If opting for an asset-based risk assessment, you should work from an existing list of information assets, which includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.
3. Identify threats and vulnerabilities
Identify threats and vulnerabilities that apply to each asset. For example, the threat could be ‘theft of mobile device’.
4. Qualify the extent of the risk.
Assign impact and likelihood values of the risk occurring.
5. Mitigate the risks to reduce them to an agreed and acceptable level.
ISO 27001 suggest four ways to treat risks: ‘Terminate’ the risk by eliminating it entirely, ‘treat’ the risk by applying security controls, ‘transfer’ the risk to a third party, or ‘tolerate’ the risk.
6. Compile risk reports
ISO 27001 requires your organisation to produce a set of reports for audit and certification purposes, the most important being the SoA (Statement of Applicability) and the RTP (risk treatment plan).
7. Review, monitor and audit.
ISO 27001 requires your organisation to continually review, update and improve the ISMS to make sure it is working optimally and adjusts to the constantly changing threat environment.