ISO 27001 risk assessment allows companies to appropriately identify, assess, evaluate, and categorise deficiencies in their Information Security Management System (ISMS) and processes. If you are interested in learning about the ISO 27001 risk assessment process, in this article, we look at five steps that you need to do in order to get the risk assessment right.

What is risk assessment?

Risk assessment is a systematic method to identify potential hazards within an organisation, going on to decide who might be harmed if these hazards materialise. The risk assessment also helps organisations evaluate the risks by outlining the effect of these risks, so that organisations can decide upon what control measures they should select. One of the ISO consulting services is to check the risks in the organization and eliminate them. In the following, we will examine this issue in ISO 27001.

what is iso 27001 and what does iso 27001 do

 

What is an ISMS?

An ISMS provides organisations with a structured approach to manage their information security through the help of a centrally managed framework that enables you to better manage, analyse, assess and improve your information security practises. The ISO 27001 standard simplifies the process of building an ISMS by outlining flexible recommendations that any organisation can use as a guide to build their very own, customised, efficient and sustainable ISMS.

Steps to an effective ISO 27001 risk assessment

A risk assessment in general, begins by identifying the hazards, highlighting the stakeholders, evaluating the risks, deciding on precautions, recording the findings and reviewing the current status. When we are talking about risk assessment for an ISMS, we begin by:

Establishing a risk management framework:

The first step of conducting an efficient risk assessment is to establish and decide upon a suitable framework. The framework should help you identify the risks in your organisation and allow you to assign risk ownership to individuals. The framework should allow you to understand how the potential risk could affect the confidentiality, availability and integrity of your information. ISO 27001 clauses are fully explained about these frameworks.

Additionally, the framework should also provide a method for calculating the estimate negative impact and likelihood of each scenario. Moreover, some issues that you need to consider when creating a formal risk assessment methodology is the risk scale, risk appetite, your organisation’s core security requirements and the methodology that is the most suited for you. Examples of framework methodology include asset-based or scenario-based risk assessment.

Identification of risks:

Identification is the most time consuming part of the risk assessment process. This is why an asset-based approach is preferred by most organisations, as it is more time-efficient. To begin with, develop a list of information assets of your organisation, so that the risks attached to each asset can be determined.

Analyse risks:

Now that you have a list of all the information assets in your organisation, you must begin to identify the threats and vulnerabilities that apply to each one of them. Threats are unique to every organisation as every organisation has a different set of operating procedures. For example, in a company that has a lot of visitors, theft of mobile devices may be a vulnerability which would negate creation of formal policy for personal devices.

Evaluation of risks:

After analysing risks, it is time to assess how significant each potential risk might be. Evaluating risk is important as it may be wasteful to implement measures in response to every risk that you may face. Hence, it is always recommended to utilise a risk assessment matrix, so that you are able to identify which risk corresponds to every asset. Risk matrix also helps you prioritise risks, so that you can treat them in accordance to urgency.

Majority of the risk assessment matrices are in a tabular form with one axis representing the probability of occurrence and the other axis representing its impact or damage. The scores are presented in the middle, and are calculated by combining the probability and the impact of each risk. Such a matrix will allow you to score each risk and weigh it against your predetermined level of acceptable risk. This level of acceptable risk or your risk appetite will determine how you plan to address them in the future.

iso 27001 audit cost

Selecting risk treatment options:

There are several ways in which you can treat a risk including avoiding the risk by eliminating it entirely. Another option is to modify the risk through the application of appropriate security controls. However, if you do not have the adequate resources to implement a security control, you can choose to share the risk with a third-party either by outsourcing it or through an insurance company. Lastly, if the risk falls within the established risk acceptance criteria, you may choose to retain the risk. The method of treatment will depend entirely on your circumstances. ISO 27001 provides a list of relevant controls that are outlined in Annex A.

 

An additional step is to create risk assessment reports that will serve as a template for your organisation as you are dealing with risks in the future. This report summarises the findings of your risk assessment and how you have implemented a plan of action. It contains a statement of applicability that states your level of progress in implementing control and a risk treatment plan which provides a summary of each identified risk and its response.

Conclusion

The five steps to an effective ISO 27001 risk assessment include establishing a risk management framework, identifying risks, analysing risks, evaluating risks and selecting a risk treatment option that is most suitable to your organisation.