A risk assessment is central to implementing a successful information security management system (ISMS). The process can be overwhelming depending on the size of your organization and scope of your ISMS project, but because a strong outline of the process is already standardized within ISO 27001, there is no need for trial and error.
A successful risk assessment in five steps
A risk assessment process that meets the requirements of ISO/IEC 27001:2013 should do the following:
- Establish a risk assessment framework.
- Identify risks.
- Analyze risks.
- Select risk management options.
A risk assessor is responsible for identifying risks, appraising them, and evaluating each risk against the organization’s criteria for accepting risks. Senior management and the board are responsible for the risk management strategy and making sure the strategy is successfully implemented. The following actions will help to streamline the process:
- Establish baseline security criteria – a risk assessor identifies the business, regulatory, and contractual requirements for information security that the organization has to meet.
- Map a risk scale matrix – determine the likelihood and impact of risk: what is the probability that a risk will happen and what kind of impact will it have on the organization? This process would benefit from procuring an expert contractor or best-practice risk assessment software.
Risk scale matrix
Risk Scale Matrix Key
- Likelihood: The chance that an event will happen and at what frequency. Likelihood can be discovered by looking at, among other factors, historic evidence of an event occurring – an indicator of what might or might not occur.
- Impact: Risk complications can create financial loss, reputational damage, and operational disruption, or a combination of these.
- Risk scale: The scale can be more or less granular on each axis to provide a more accurate image of the risks facing the organization. Larger organizations often use five points on each axis.
- Establish a risk appetite – the level of risk an organization is willing to accept without action, or with less than usual action. You’ll need to consider possibilities: What events, such as a data breach, are unlikely to happen? If an event should happen, what’s not likely to disrupt your organization’s operations? If security risks are tolerable, you need to record and monitor them, asking:
- How can we track these information security risks?
- If low-risk events build up, what are the consequences?
- Conduct a scenario- or asset-based risk assessment – take an inventory of critical assets that might be affected, starting with a database of critical and valuable assets. Any personally identifiable information (PII) that you handle should be considered.
- Build an asset database – it will run hand-in-hand with your risk assessment as your organization identifies situations or circumstances that put your assets at risk. Keep track of risk changes over time in relation to each of your assets.
In order to make practical, cost-effective decisions, you need to take all your findings and conduct a risk analysis to understand your organization’s data breach vulnerabilities and threats.
A vulnerability is something that is part of the asset, whereas a threat is external to the asset.
Controls are put in place to manage risks.
There are four risk management options:
- Retain (‘accept’)
- Avoid (‘reject’)
- Share (usually through insurance)
- Modify (‘control’)
Your organization will apply cybersecurity controls to manage or reduce the appropriate risks identified within the risk assessment. ISO 27001 requires you to compare your controls against its own list of best-practice controls contained in Annex A.
Create a Statement of Applicability (SoA)
If you use risk assessment software, you will create two documents that should contain dynamic links to the exact documentation that addresses each control; and a dashboard that tracks the status of your risk assessment and identified risks.
The SoA sets out a list of all controls you have selected with:
- Justification for their inclusion
- A statement of whether or not they have been implemented
- Justification for the exclusion of any controls from Annex A of ISO 27001
Set up a risk treatment plan (RTP)
The RTP describes the steps to take in addressing each identified risk. You’ll have a range of options from which to choose to and implement your action plan. Risks should be prioritized with the most urgent cybersecurity threats treated first.
Things to consider when drafting your RTP:
- Who is responsible for risk treatments?
- What are the deadlines?
- Which resources, e.g. financial and human, are required?
Your documentation holds everything for a solid ISMS
Accurate, precise, and comprehensive documentation, which explains every planned control and component of the ISMS, is crucial. Your documentation will serve as a central point of reference to ensure your ISMS is applied properly over time.
You can accelerate your ISO 27001 project with a documentation toolkit. Designed and developed by expert ISO 27001 practitioners, our provides a complete set of mandatory and supporting documentation templates that are easy to use, customizable, and fully ISO 27001-compliant.
Risk assessment software solution
vsRiskTM risk-assessment software will save you time developing your own risk-assessment methodology. It allows you to get straight to the actual assessment and get actionable results much faster. You can also customize and apply a sample risk assessment.
vsRisk’s robust methodology means that upcoming risk reviews and further risk assessments can be performed quickly, consistently and cost-effectively.