Learn in small groups from top experts and real-life examples
  • (0)

    ISO 27001 & ISO 22301 Blog

    How to organize initial risk assessment according to ISO 27001 and ISO 22301

    Usually, the biggest headache companies have when starting to implementing ISO 22301, and especially ISO 27001, is the risk assessment. And, interestingly enough, such a headache happens only when doing this for the first time – which means that risk assessment doesn’t have to be difficult once you know how it’s done.

    So, how can you prepare yourself to make this headache smaller?

    Do it alone or hire a consultant?

    Since risk assessment and treatment are quite time-consuming and complex, you can decide whether they will be managed by the Project manager/Chief information security officer/Business continuity manager alone, or with a help of some hired expert (e.g., a consultant). A consultant could be quite helpful for larger companies, not only to guide the coordinator through the whole process, but also to perform part of the process – e.g., a consultant could do the workshops and/or interviews, compile all the information, write reports, etc., whereas the coordinator should manage the whole process and coordinate people within the company. Read also 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.

    Larger companies will usually have project teams for the implementation of ISO 27001/ISO 22301, so this same project team will take part in the risk assessment process – members of the project team could be the ones doing the interviews.

    Smaller companies do not need to have a consultant or a project team – yes, the project manager will have to get some education first, but with the appropriate risk assessment methodology, this process can be done without expert help.

    Should you use a risk assessment tool?

    Tools can speed up the process of risk assessment and treatment because they should have built-in catalogues of assets, threats and vulnerabilities; they should be able to compile results semi-automatically; and producing the reports should also be easy – all of which makes them a very good choice for larger companies.

    However, for smaller companies, the price of such tools could be an obstacle, though in my opinion an even bigger barrier is the fact that such tools are usually too complex for smaller companies. In other words, the time needed to learn to work with such a tool is usually much longer than it would take to handle dozen of Excel sheets. Not to mention that such tools usually require you to follow overly complex risk assessment methodology, which could be overkill for smaller companies.

    In other words, if you are a smaller company, think twice before you purchase any tool – Excel is still a very good tool if you’re not too ambitious. (If you use Excel sheets, make sure you use some catalogues – see here an example of a threats and vulnerabilities catalogue.)

    Options for gathering the information

    Risk assessment means that you have to get quite a lot of input from your employees – essentially, there are 3 ways to do it:

    a) Perform risk assessment through interviews – this means that the coordinator will interview responsible person(s) from each department, where he will explain the purpose of risk assessment first, and make sure that every decision of the responsible person about the level of risk (consequence and likelihood) makes sense and is not biased.

    b) Perform workshops with responsible persons – in such workshops the coordinator explains to all responsible persons the purpose of risk assessment, and through several real-life examples, shows how to identify risks and assess their level.

    c) Send the sheets with detailed explanation – here you don’t help the responsible persons directly, but you send them Risk assessment methodology or some other instructions on how to fill in the risk assessment sheets and they do it themselves.

    The last option is probably the easiest from the perspective of the coordinator, but the problem is that the information gathered this way will be of low quality. If the risk assessment process is not very clear to you, be certain that it will be even less clear to other employees in your company, no matter how nice your written explanation is.

    Of course, performing interviews will probably yield better results; however, this option is often not feasible because it requires a large investment of the coordinator’s time. So performing workshops very often turns out to be the best solution.

    Who decides on the level of risk?

    The decision about the level of risk (consequence and likelihood) should always be left to responsible persons from activities – the coordinator will never know the assets, processes and environment well enough to make such decisions, but the persons working there will certainly have a better idea.

    However, the coordinator has another important function during the risk assessment process – once he starts receiving the risk assessment results, he has to make sure they make sense and that the criteria between different departments are uniform. Even though the workshops have been performed, or an explanation was given during the interview to the responsible person, they will always tend to give much larger importance (meaning higher risks) to their own department – in such cases, the coordinator must question such assessment and ask this person to reconsider his or her decision.

    So, these were the preparations you need to make: once you start performing the risk assessment you should follow these steps: ISO 27001 risk assessment & treatment – 6 basic steps.

    And don’t forget: good preparation is half the job done.

    To learn more, see this free Diagram of ISO 27001:2013 Risk Assessment and Treatment process.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Leading expert on cybersecurity / information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients. As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.