If you’re implementing the ISO27001 information security standard it won’t be very long before you come across the requirements in the area of risk assessment and treatment. In fact, if I had to choose which part of the standard was the most significant, it would probably be this one; it underpins almost everything else, and so it’s important that you fully understand it.
In this article, we’ll go through the eight main steps when conducting an ISO27001 risk assessment, and hopefully remove some of the mystery and confusion around this important area.
But why do we need to do an ISO27001 risk assessment at all? I guess the first thing to say is that there a lot of actions you could take to make your organization more secure. And I mean a lot. There’s a never-ending choice of software, hardware, procedures, policies and other controls that can help to block threats and react to them when they get through. If security was your only consideration then you’d lock the system down so that only a chosen, educated few could access it, and you’d make them enter a secure room (after scanning their retinas of course) to use a single-function terminal that was completely separated from the Internet. And in an extreme case that’s exactly the right thing to do. But most businesses exist in the real world where systems are accessed from public areas (such as shops) across open networks (the Internet) by people with limited technical knowledge (like employees or customers).
So how do you choose what level of security to implement so that your systems are protected but people can still use them effectively? You assess the risks, and then do what’s justified and appropriate. And helping to identify the best level of compromise is the point of risk assessment.
So now you know the point of the risk assessment, here are our 8 steps to a successful one…
Before launching into trying to meet the requirements of the ISO27001 standard, I always recommend reading it to make sure you’re doing what it actually says, rather than basing your work on someone else’s interpretation of what it says. So if you don’t have a copy of the standard yet, head over to the ISO website now and give them some Swiss Francs in return for a PDF copy. While you’re there you may also like to consider a copy of ISO27005 which describes how to conduct information security risk management in more detail.
The main section in the ISO27001 standard that contains requirements to do with risk is Clause 6. Planning. The first thing to note is that the standard actually talks about “risks and opportunities” rather than just risks. An opportunity is basically a good risk, or a risk that has a potentially positive outcome. Although you will need to address opportunities too, we’re not going to talk any more about them here.
The second thing to note is that there are two main areas of risk assessment required; one to do with risks to the information security management system (ISMS) specifically (Clause 6.1.1 General) and the other to do with more general information security risks (Clause 6.1.2 Information security risk assessment). In this article, we’re going to focus on the second of these.
There are a lot of different ways to assess risks, but what the majority of them come down to is a combination of likelihood and impact. You can have a risk that is almost certain to happen, but if it doesn’t cause much in the way of pain then it’s unlikely you’ll feel it’s justified to do anything to stop it. Similarly, a risk that would be completely catastrophic but is almost certain never to happen isn’t going to warrant your attention either. But a risk that is very likely and will cause huge problems is going to keep you awake at night unless you do something about it.
But how do we measure likelihood and impact? Again there are lots of ways but they all come down to two types of method – qualitative and quantitative. The first is a subjective assessment of the scale of the likelihood and impact, often using a basic numerical range such as one to five or one to ten. This is generally a straight judgement call. The second tries to put a meaningful number against the item; for example, impact is often expressed in money terms – a loss of $10,000 would result perhaps. Similarly the likelihood might be expressed as a percentage or the number of times the risk might occur in a defined timeframe (such as once every three years). Inevitably these approaches are a trade off between ease of use and accuracy; if you’re prepared to go down the quantitative route, be ready for it to take longer to define and perform the assessment, although the results may be more defensible.
Whichever approach you decide upon, you’ll also need to consider the tools you’ll use to achieve the risk assessment. A spreadsheet is often used, and there are a variety of cloud and desktop-based systems that can help too.
It’s a requirement of the ISO27001 standard that the information security risk assessment process exists as documented information and it gives a list of areas this document should cover. These include defining your criteria for performing risk assessments and for accepting risks, ensuring the assessments produce reasonable results, and then how you will identify, assess and evaluate the risks. Don’t forget that every risk must have an owner too.
Although risk treatment gets its own sub-section of the standard (6.1.3 Information security risk treatment), you may decide to consider the two aspects as a whole and include assessment and treatment as one process.
Once you have decided your approach and documented your process, the time has come to perform your initial risk assessment. It’s important to remember that risk assessment and treatment is a team sport, and you’ll need to get the right people involved at each stage to identify, analyse, evaluate and treat your risks. Valid approaches to this task include lengthy face to face meetings (hopefully with pizza), submission of individual assessments to a central point for collation, and tours of interviews with relevant people. Hopefully the end result will be a list of well-described risks with agreed likelihoods and impacts which can then be considered for treatment.
Risk treatment is all about applying controls to reduce either the likelihood or impact (or both) of a risk to bring it within acceptable levels. Some of your risks may already be acceptable (according to your defined criteria) and that’s fine. But for those that exceed acceptable levels you need to make some choices about what to do about them. For ISO27001 the main way to treat risks is by using the list of reference controls at Annex A of the standard. You could use a different set of controls (such as those defined by NIST, a USA standards body, for example) but most people don’t, largely because the set in Annex A is right there in the standard and they are generally considered to be pretty good for starters. Often you will need to use your own, locally defined, controls in addition to the Annex A control set and that’s perfectly ok.
So you’ve identified, assessed and evaluated your risks, and decided on the controls you will use to bring them down to acceptable levels. All you need to do now is to implement those controls. Easy eh? Well, this is often where the hard work really starts because the 2022 version of the ISO27001 standard includes 93 controls and, while you may not need all of them, that’s still a lot of procedures and policies to put in place, software to install and training to deliver. Some of these tasks may take months rather than weeks, so try to spread the load across teams and individuals as much as possible.
Depending on the nature of your business, you may not need all of the controls listed in Annex A of the ISO27001 standard. As part of certification, you will be required to create a document called the “Statement of Applicability” which indicates which of the controls do or don’t apply, the main reasons for this, and whether they are implemented yet.
Having completed your initial risk assessment and put the applicable controls in place, you will then enter a continuous phase of review where you keep an eye on your risks to detect any changes worth reassessing. This could be due to internal changes such as new business areas, or external events such as increased threat levels. The applicable controls may change over time as your business develops so you’ll need to keep the Statement of Applicability up to date.
Risk assessment and treatment is one of the primary tools an organization has to protect itself from threats to its information security. Done well, this process provides an adaptable mechanism to adjust your controls (and therefore expenditure) so that the level of protection you maintain remains appropriate and proportionate, and wasteful over-reaction is avoided.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. Note, this blog has been updated in November 22 to reflect the new 2022 standard.
ISO27001 compliance is made easy with our range of solutions. From our award-winning toolkits to consultancy and internal auditing services, our products and services are available to streamline the process to ensure your organization achieves ISO27001 compliance on time and in budget.
Download our free ISO27001: 10 steps to certification guide to learn: