An expert blog by CertiKit’s Managing Director, Principal Consultant and creator of the ISO27001 toolkit, Ken Holmes.
You’ll hear it said many times that ISO27001 is a risk-based standard, and in this blog I’m going to discuss the basics of creating a risk assessment and treatment plan.
In our ISO27001 toolkit we give you two choices in performing your risk assessments; asset-based and scenario-based. Whichever method you choose it’s still a good idea to have an up to date inventory of your assets, particularly your information assets, such as customer data or product specifications.
Whether you choose to perform a scenario-based assessment, or an asset-based one, many of the principles are the same.
The first step is to define the scope and context of the assessment, and your risk acceptance criteria. This sets out what the risk assessment covers and why, so for example we might conduct an assessment of the risks to a specific IT system or service and we might be doing this in the context of the system going live for the first time, or because we’ve become aware of additional threats.
Our risk acceptance criteria define how much risk we can live with without putting any more controls in place and may be stated as a risk score, for example of less than 10, or as a risk classification, for example Low is accepted whereas Medium or High is not.
Once you’ve defined the details of the assessment, you can start to populate the risk assessment spreadsheet with your risks. Each entry could be a risk to the confidentiality, the integrity or the availability of the asset involved, or a combination of these.
Once you’ve assigned a risk owner, as required by the ISO27001 standard, briefly set out the existing controls in place to manage this risk.
The next step is to define the likelihood of the risk happening on a scale of 1 low to 5 high, and give the main reasons why you’ve chosen that score. This is useful information when you come to reassess the risks at a later date, or for someone else to understand why the score was set as it is.
You then need to assess the potential impact of the risk, and the combination of these two numbers gives a risk score and a corresponding risk level.
Next you need to decide whether you are going to accept the risk, based on your acceptance criteria that you defined earlier, or if you’re going to treat the risk.
As treatment, you could decide to avoid the risk, for example by stopping doing something that makes it arise in the first place. You could transfer the risk by getting another party to take it on, such as in the case of insurance. Or you could modify it by taking some additional action such as putting additional controls in place.
If you decide to modify the risk, enter the details of the treatment actions you’re going to put in place. These actions form part of your treatment plan.
Next you need to assess the effect that the treatment actions are expected to have on the risk score and corresponding level and enter new values for likelihood and impact.
Note that if you had decided to accept the risk, you would set these values to be the same as the pre-treatment ones, because you’ve not done anything to affect them. What you’re left with after the treatment actions have been completed is often referred to as the residual level of risk.
We’re often asked how many risks should be listed in our risk assessment tool and there’s no easy answer to that question. The ISO27001 standard doesn’t specify any expectations as to numbers, only that risks should be assessed according to a process. So technically if you only had a dozen or so main risks it shouldn’t be a problem. We would certainly advise against going too far overboard on the number of risks as this can make the process difficult to manage. The appropriate number will depend on factors such as the size of your organization, what it does, and how sensitive your information is.
Other useful tabs are included within the risk assessment tool. Some example risks are given, together with their corresponding controls from Annex A of the ISO27001 standard. There are also a number of alternative ways of presenting the risk assessment and treatment information in graphical form.
Risk assessment and treatment is a big subject and we’ve just scratched the surface in this blog but hopefully it’s been a useful introduction.