This website uses cookies. View our cookie policy
Close
USA
Select regional store:

ISO 27001 risk assessments

With the increase in U.S. security legislation, the focus on organization risk management and resiliency to attacks has grown. At the core of ISO 27001 is the assessment and management of information security risks.

Section 6.1.2 of the Standard states the risk assessment process must:

  • Establish and maintain certain information security risk criteria
  • Ensure that repeated risk assessments “produce consistent, valid and comparable results”
  • “Identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”
  • Identify the owners of those risks
  • Analyze and evaluate information security risks according to certain criteria

Learn how to save time, effort, and expense when carrying out a risk assessment

Free: Risk assessment and ISO 27001 green paper

Download our free green paper to discover how to use risk assessments to achieve maximum benefits from minimum security costs.

Download now


Five simple steps to an effective ISO 27001 risk assessment

A risk assessment process that meets the requirements of ISO 27001:2013 should have five steps:

1

Establish a risk management framework

The risk management framework describes how you intend to identify risks, to whom you will assign risk ownership, how the risks impact the confidentiality, integrity, and availability of the information, and the method of calculating the estimated impact and likelihood of the risk occurring. A formal risk assessment methodology needs to address four issues and should be overseen by top management:

  1. Baseline security criteria
  2. Risk scale
  3. Risk appetite
  4. Scenario- or asset-based risk assessment

2

Identify risks

Identifying the risks that can affect the confidentiality, integrity, and availability of information is the most time-consuming part of the risk assessment process. IT Governance USA recommends following an asset-based risk assessment process. Developing a list of information assets is a good place to start. It will be easiest to work from an existing list of information assets that includes hard copies of information, electronic files, removable media, mobile devices, and intangibles, such as intellectual property.


3

Analyze risks

Identify the threats and vulnerabilities that apply to each asset. For instance, the threat could be ‘theft of mobile device’, and the vulnerability could be ‘lack of formal policy for mobile devices’. Assign impact and likelihood values based on your risk criteria.


4

Evaluate risks

You need to weigh each risk against your predetermined levels of acceptable risk, and prioritize which risks need to be addressed in which order.


5

Select risk treatment options

The risk management framework describes how you intend to identify risks, to whom you will assign risk ownership, how the risks impact the confidentiality, integrity, and availability of the information, and the method of calculating the estimated impact and likelihood of the risk occurring. A formal risk assessment methodology needs to address four issues and should be overseen by top management:

  1. ‘Avoid’ the risk by eliminating it entirely
  2. ‘Modify’ the risk by applying security controls
  3. ‘Share’ the risk with a third party (through insurance or outsourced)
  4. ‘Retain’ the risk (if the risk falls within established risk acceptance criteria)

Applying information security controls in the risk assessment

Compiling risk reports based on the risk assessment

ISO 27001 requires the organization to produce a set of reports based on the risk assessment. These are used for audit and certification purposes. The following two reports are the most important:

  • SoA (Statement of Applicability)

    This report should have a list of all controls as recommended by Annex A of ISO/IEC 27001:2013, together with a statement of whether or not the control has been applied, and a justification for its inclusion or exclusion.

  • RTP (risk treatment plan)

    The RTP describes how the organization plans to deal with the risks identified in the risk assessment.


Review, monitor, and audit to continually improve the ISMS

ISO 27001 requires the organization to continually review, update, and improve its ISMS (information security management system) to make sure it is functioning optimally and adjusting to the constantly changing threat environment.

One aspect of reviewing and testing is an internal audit. This requires the ISMS manager to produce a set of reports that provide evidence that risks are being adequately treated.

An even more effective way for the organization to obtain the assurance that its ISMS is working as intended is by obtaining accredited certification.


How an ISO 27001 risk assessment works

An ISMS is based on the outcomes of a risk assessment. Organizations need to produce a set of controls to minimize identified risks.

Controls recommended by ISO 27001 are not only technological solutions but also cover people and organizational processes. There are 114 controls in Annex A covering the breadth of information security management, including areas such as physical access control, firewall policies, security staff awareness program, procedures for monitoring threats, incident management processes, and encryption.


Controls from Annex A fall into 14 categories:

  • A.5 Information security policies
  • A.6 Organization of information security
  • A.7 Human resources security
  • A.8 Asset management
  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operational security
  • A.13 Communications security
  • A.14 System acquisition, development and maintenance
  • A.15 Supplier relationships
  • A.16 Information security incident management
  • A.17 Information security aspects of business continuity management
  • A.18 Compliance

Risk assessments are conducted across the whole organization. They cover all the possible risks to which information could be exposed, balanced against the likelihood of those risks materializing and their potential impact. Once the risk assessment has been conducted, the organization needs to decide how it will manage and mitigate those risks, based on allocated resources and budget.


Risk assessment standards

A number of other information security and risk assessment standards support ISO 27001:


Let’s get started on your ISO 27001 risk assessment project

IT Governance has a wide range of affordable risk assessment solutions that are easy to use and ready to deploy.

Books

Risk assessment toolkits and software


Speak to an expert

Our qualified ISO 27001 experts are ready to offer you practical advice about the best approach to take for implementing an ISO 27001 project and discuss different options to suit your budget and business needs.