This is Part 2 of our series on implementing information security risk assessments. You can read Part 1, ‘How to start your risk assessment the easy way’, here.
If you’re undertaking an information security management system (ISMS) implementation project in line with the information security management standard ISO 27001, you’ll know that you need to carry out a risk assessment to determine which security controls to implement.
Section 6.1.2 sets out what you need to do. The information security risk assessment process must:
- Establish and maintain certain information security risk criteria
- Ensure that repeated risk assessments “produce consistent, valid and comparable results”
- Identify “risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system” and identify the owners of those risks
- Analyze and evaluate information security risks according to certain criteria
The organization must also “retain documented information about the information security risk assessment process” so that it can demonstrate that it complies with these requirements.
Remember: ISO 27001 is a specification, not a code of practice, so the risk assessment process must include all of the prescribed features for a chance of passing a certification audit.
How can the risk assessment process be simplified?
The best way of simplifying the process is to use a tool to do most of the hard work for you. The risk assessment tool vsRisk™ helps risk assessors deliver repeatable, consistent assessments year after year.
Its pre-populated asset library assigns organizational roles to each asset group, applying relevant potential threats and risks by default. Moreover, its integrated risk, vulnerability, and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.
- A sample risk assessment
- Seven control sets:
- ISO/IEC 27001 (both 2005 and 2013)
- PCI DSS v3.2
- NIST SP 800-53
- Cloud Controls Matrix
- ISO/IEC 27032:2012
- Cyber Essentials
- A database of threats, vulnerabilities, and risks
- Six exportable and audit-ready reports:
- Statement of Applicability
- Risk treatment plan
- Comments report
- Risk assessment report
- Control usage report
With vsRisk, you can:
- View the ISO 27001 controls that require documentation
- Upload documents to link and track controls
- Customize risk acceptance criteria and risk calculation formula
- Map controls between different standards and frameworks
- Add additional assets, risks, and controls
- Create customized views: risks, owners, assets, and groups
- Choose from four risk responses: treat, tolerate, transfer, or terminate