Risk assessment is a key part of the requirements of the ISO27001 standard and it’s a certainty that an organization won’t become certified unless this area has been addressed. But it’s one of the subjects that causes most confusion when on the journey towards certification, particularly the choice of what kind of risk assessment to carry out. In this blog article we look at two of the most popular ISO27001 risk assessment approaches: asset-based and scenario-based, and we discuss the pros and cons of each.
In the 2005 version of the ISO27001 standard the choice was already made for you; asset-based risk assessment was the way to go, and the text was quite prescriptive:
4.2.1 Establish the ISMS
d) Identify the risks.
1) Identify the assets within the scope of the ISMS, and the owners of these assets.
2) Identify the threats to those assets.
3) Identify the vulnerabilities that might be exploited by the threats.
4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
So the discussion about how to do risk assessment was a bit limited.
In the 2013 version however, we were allowed to choose our own risk assessment approach, as long as it met certain criteria:
6.1.2 Information security risk assessment
The organization shall define and apply an information security risk assessment process that…
This didn’t mean that you couldn’t carry on performing asset-based risk assessments, you just didn’t have to. But this may explain why the asset-based method is still popular in ISMSs worldwide.
An asset-based risk assessment revolves around three main concepts:
Let’s look at each of these in turn.
In theory, assets are anything that has value to your organization. In practice in an ISO27001 context we’re mainly talking about information assets and the infrastructure that supports them. An information asset is typically a set of data that your organization uses or stores in order to fulfil its purpose, so it could be a customer database, supplier records, financial data etc. The definition of asset also includes hardware and software and physical things such as buildings, but these tend to be secondary to the information assets, so for example a customer database is hosted on a server which runs Apache.
A threat is something that might happen to your asset to affect its confidentiality, integrity or availability (the “CIA triad” – a central concept in ISO27001). So this could be a hacker (the “threat actor”) who breaks in to your server to steal your customer database (the asset) or more likely, to encrypt it and demand a ransom.
This is the concept that is probably the most difficult to really comprehend. What is a “vulnerability”? Well, basically it’s a weakness that hasn’t been fixed which makes it easier for the threat to attack the asset. A classic vulnerability is a software bug which hasn’t been patched, and there have been plenty of those involved in high-profile breaches over the years. But it could also be a configuration error, such as not securing your AWS bucket, or a lack of multi-factor authentication (MFA) on a logon to an important asset.
An asset-based risk assessment then involves looking at the threats to each of your assets and deciding whether there are any vulnerabilities that the threat could exploit to affect the CIA of your asset. For those that are above your risk appetite (that is, the degree of risk you feel comfortable with) you would then treat the risk using one or more controls.
For example, the narrative could be “it’s quite likely someone could hack into the server (threat) holding our customer database (asset) and encrypt it because we aren’t patching Apache properly (vulnerability) so we will purchase some software that patches it more reliably (control)”.
Whereas an asset-based risk assessment starts with a list of assets, a scenario-based one starts with a list of things that could happen (scenarios, very similar to our definition of threats above). So you would often start with a brainstorming session to come up with a list of scenarios to consider and then work through what would happen if they came about. In order to assess the impact correctly you still need to have a good understanding of your assets and of the existing controls that are in place, so this type of assessment is not wildly different to the one we have just described.
The narrative might include questions such as:
What’s important here is that your risk assessment is as comprehensive as you need and that it produces a set of actions that will genuinely improve your security posture. Most people would agree that a scenario-based approach is probably easier to understand but some would argue that this is because it is less structured and so some risks might be missed. However, the scenario-based method may allow your team to focus in on the big, important risks first to get those treated faster. The asset-based approach is likely to produce a longer list of risks which, whilst this means it is more comprehensive, could make your risk assessment unwieldy and harder to action.
It’s a reasonable statement that “the best risk assessment is the one you actually do”, because whichever method you use, the important thing is that you are encouraging everyone involved to think about risks. Either way, you’ll need to provide at least some basic training in how to conduct a risk assessment so that everyone is clear about the approach chosen.
And once you have a completed risk assessment you will be one step closer to achieving certification.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
If you want help with your ISO27001 risk assessment (and any other areas of the standard), you’ve come to the right place.
From our award-winning toolkits to consultancy and internal auditing services, our products and services are available to streamline the process to ensure your organization achieves ISO27001 compliance on time and in budget.
Download our free ISO27001: 10 steps to certification guide to learn: