Risk appetite and its influence over ISO 27001 implementation

Clause 6.1.2 (a) (1) of ISO 27001:2013 states that an organization must establish and maintain information security risk criteria, and those must include criteria for risk acceptance. Since these criteria have direct influence on how organizational risks are treated, defining them is critical to make ISO 27001 add value to the business. This situation brings us two questions:

  • How do we define criteria that are relevant for the organization?
  • How do we define criteria for risk acceptance?

While the first question can be answered by clauses 4.1 and 4.2 of ISO 27001 (understanding the organization, its context, and the needs and expectations of interested parties), the second one requires a concept sometimes ignored because of the protective nature of ISO 27001: the risk appetite. But before we talk about this concept, let’s review our understanding of risk criteria and risk acceptance.

Risk criteria and risk acceptance

ISO 31000 defines risk criteria as terms of reference to be used to evaluate the significance or importance of an organization’s risks. Financial and market share values (as absolute numbers or percentiles) are examples of risk criteria.

For ISO 27001 and ISO 27005, risk acceptance is part of the risk treatment decision making process. Risk acceptance states the condition you use to decide if you can live with a particular risk. For financial values as risk criteria, a certain amount of dollars (thousands or millions) is an example of a condition for risk acceptance.

Risk appetite

Risk appetite refers to how much risk an organization is willing to take to reach its goals. If financial value is your risk criteria, the range of money you are willing to lose pursuing an objective reflects your risk appetite. Actually, the financial industry is the best example of the use of the risk appetite concept.

This concept of willingness to take risks can seem strange when associated with ISO 27001, and this is because the risk concept most associated with ISO 27001 is related to loss prevention, while risk appetite is also related to potential gains the organization can obtain by taking a specific risk. But, when we consider that only risks directly related to legal requirements (e.g., laws and regulations) have mandatory limits (maximum or minimum) that cannot be exceeded by the organization, taking other types of risks is limited only by what the organization defines as acceptable.

A practical example, not related directly to information security, is investment options for your money. People with low risk appetite may prefer options with lower interest rates that are more certain to reach that rate. On the other hand, people with greater risk appetite accept investment options that can even result in losses, but that can win results much greater if successful. This same concept can be applied to protect information in conformity with ISO 27001.

How do I find out the risk appetite of an organization?

Risk appetite is unique for each organization, but it can be identified by some common parameters and sources. We can say that an organization’s risk appetite can be described by:

  • Aspects associated to meaningful issues for the organization (e.g., standards, laws, policies, contracts, etc.);
  • The organization’s values, policies, strategies and objectives (e.g., commitment to the client, being the most innovative, etc.);
  • Issues of interest for the stakeholders (e.g., profit, market share, etc.);
  • The management style (not a person’s style, but the management team style as a whole) (e.g., autocratic, consultative, democratic, etc.).

By the examples stated above you may have noticed that risk appetite is something that balances qualitative and quantitative values, and this is because risk appetite is more a “state of mind” than a model or a formula. The rewards involved will depend on factors that can vary for each situation, and some of them are very often not documented (e.g., interests of stakeholders and management style).

How to apply risk appetite to ISO 27001

Generally, ISO 27001 implementations use the risk appetite concept implicitly, through the risk assessment probability vs. impact matrix, defining risks as acceptable (we can accept this risk as it is), manageable (control actions should be considered), and unacceptable (control actions must be implemented). Even though this approach may have benefits related to ease of use, some considerations must be taken when applying the risk appetite concept:

  • With a high risk appetite, even a risk assessed as high can seem attractive if the potential gain is high enough;
  • Greater risk appetite can expose you to more risks, by making you use less strict controls in pursuit of a specific opportunity, so verify whether the expected gains of accepting the risks can pay for intermediary losses and still deliver rewards considered desirable.

So, how do you integrate into your ISMS those risks that have treatments that are different from the normal way you treat risks, without compromising conformity with ISO 27001? How do you use the risk appetite in your organization’s ISMS? To do this, you should consider:

  • Suitable documentation of decisions in the management reviews [clause 9.3 (e)] that support the decisions taken about the change in the risk acceptance level and/or in the treatment plans normally used to control specific risks [clause 6.1.3 (e)] (changing or excluding controls, considering the expected results);
  • Adjustments to the Statement of Applicability [clause 6.1.3 (d)], identifying specific conditions for use of less strict controls.

So, with these adjustments you can adopt into your ISMS the concept of risk appetite, and make use of information security not just to prevent losses, but as a tool to use information and risks in a controlled manner for taking advantage of business opportunities or minimizing costs related to controls adoption, adding more value to the business with ISO 27001.

Click here to see a free sample of  Risk assessment methodology.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.