ISO 27001: risk assessment

Clause 6.1.2 of the ISO 27001 Standard states that an organisation must establish and perform a risk assessment process.

What is an information security risk assessment?

It’s a formal, top management-driven process and sits at the core of an ISMS. 

Risk assessment is a key requirement in the implementation of an ISMS ISO 27001 which must be performed before you start implementing security controls, and consequently, it’s the one that determines the shape of your information security.

The point is to get a comprehensive overview of the dangers to your organization’s information. In fact, it tells you to only implement safeguards if there are risks that would justify that particular control. 

At the end of the risk assessment process, you’ll know exactly which controls from Annex A you need. It leads to the Statement of Applicability, a mandatory document which lists all controls, defines which are applicable and which are not, the reasons for such a decision, the objectives to be achieved with the controls and a description of how they’re implemented.

The Risk Assessment Process consist of five steps: 

1. Establish a risk assessment framework

Define the rules on how you’re going to perform the risk assessment (quantitative versus qualitative analysis, scale of impact, scale of likelihood, method of calculating the risk, the acceptable level of risks, risk ownership, etc.).

If the rules aren’t clearly defined, you might get unusable results. It should be approved by the management.

2. Identify risks

Discover which potential problems could happen and cause harm (e.g. Loss of confidentiality, Loss of integrity, Loss of availability, Loss of quality, etc.). You need to list the assets, their threats (e.g. theft of mobile device) and vulnerabilities (e.g.: lack of formal policy for mobile devices).

That’s the most time-consuming part, especially if you don’t have a list to start with.

3. Analyse risks

Assess the impact and likelihood for each combination of assets/threats/vulnerabilities and then calculate the level of risk.

4. Evaluate risks

Assess each risk against your level acceptable risk criteria and focus on the most important ones (the unacceptable risks).

5. Risks treatment options

Choose between the following four options:

1. Reduce the risk: implementing safeguards, which are controls from Annex A, to decrease the level of risks, e.g. a fire-suppression system or CCTV camera (video surveillance)
2. Transfer the risk: to another party, e.g. buying a fire insurance policy for your building which means transferring a part of the financial risk to an insurance company
3. Avoid the risk: stopping an activity, a task or a process because the risk is too big to be mitigated by other options, e.g. stop collecting personal data such as customer’s telephone numbers and ages to avoid that such data can be stolen in an information security incident
4. Accept the risk: accepting the risk without doing anything about it, e.g. if the cost of mitigating the risk would be higher than the damage itself

The next step is the Risk Treatment Plan (Action Plan) which defines exactly who is going to implement each control, in which time frame, with which budget, etc. The management should approve that document because it’ll take considerable time and effort (and maybe money) to implement controls.