• (0)

    ISO 27001 & ISO 22301 Blog

    4 mitigation options in risk treatment according to ISO 27001

    Most people think risk assessment is the most difficult part of implementing ISO 27001 – true, risk assessment is probably the most complex, but risk treatment is definitely the one that is more strategic and more costly.

    The purpose of risk treatment seems rather simple: to control the risks identified during the risk assessment; in most cases this would mean to decrease the risk by reducing the likelihood of an incident (e.g., by using nonflammable building materials), and/or to reduce the impact on assets (e.g., by using automatic fire-suppression systems). During the risk treatment the organization should focus on those risks that are not acceptable; otherwise, it would be difficult to define priorities and to finance the mitigation of all the identified risks.

    See also: ISO 27001 risk assessment & treatment – 6 basic steps.

    4 most common treatment options

    Once you have a list of unacceptable risks, you have to go one by one and decide how to treat each – usually, these options are applied:

    • Decrease the risk – this option is the most common, and it includes implementation of safeguards (controls) – like fire-suppression systems, etc.
    • Avoid the risk – stop performing certain tasks or processes if they incur such risks that are simply too big to mitigate with any other options – e.g., you can decide to ban the usage of laptops outside of the company premises if the risk of unauthorized access to those laptops is too high (because, e.g., such hacks could halt the complete IT infrastructure you are using).
    • Share the risk – this means you transfer the risk to another party – e.g., you buy an insurance policy for your building against fire, and therefore you transfer part of your financial risk to an insurance company. Unfortunately, this option does not have any influence on the incident itself, so the best strategy is to use this option together with options 1) and 2).
    • Retain the risk – this is the least desirable option, and it means your organization accepts the risk without doing anything about it. This option should be used only if the mitigation cost would be higher than the damage an incident would incur.

    Decreasing the risks is the most common option for treating the risks, and for that purpose the controls from ISO 27001 Annex A are used (and any other controls that a company thinks are appropriate). See here how the controls are organized: Overview of ISO 27001:2013 Annex A.

    Before you start the risk treatment

    Before starting the risk treatment process, you should be aware of the main inputs: these are Risk Management Methodology and unacceptable risks from the risk assessment; however, an additional input should also be the available budget for the current year, because very often the mitigation will require an investment.

    When selecting new controls, basically there are three types of controls:

    1. Defining new rules: rules are documented through plans, policies, procedures, instructions, etc., although you don’t have to document some less complex processes.
    2. Implementing new technology: for example, backup systems, disaster recovery locations for alternative data centers, etc.
    3. Changing the organizational structure: in some cases, you will need to introduce a new job function, or change the responsibilities of an existing position.

    Deciding which controls to select

    Risk treatment is a step where you normally wouldn’t include a very wide circle of people – you will have to brainstorm on each treatment option with specialists in your company who focus on certain areas. For example, if the treatment has to do with IT, you will speak to your IT guys; if it is about new trainings, you will speak to human resources, etc.

    Of course, the final decision about some new treatment option will require a decision from the appropriate management level – sometimes the CISO will be able to make such  decisions, sometimes it will be your project team, sometimes you will have to go to the department head in charge of a particular field (e.g., head of the legal department if you ask for additional clauses in the contracts with your partners), or perhaps to the executive level for larger investments. If you have doubts regarding who can decide what, consult with your project sponsor.

    The process of risk treatment is very often documented similarly to the process of risk assessment – through Excel sheets or a tool, and finally, in the Risk treatment report. An example of a risk treatment table might look something like this:

    Asset Threat Vulnerability Treatment option Means of implementation
    Server Fire No fire extinguisher 1) Decrease risk + 2) Share risk Purchase fire extinguisher + buy insurance policy against fire
    Laptop Access by unauthorized persons Inadequate password 1) Decrease risk Write Password Policy
    System administrator Leaving the company No replacement 1) Decrease risk Hire second system administrator who will learn everything the first one does

    If you choose to measure residual risks, it should be done together with responsible persons in departments – you have to show them which treatment options you have planned for, and based on this information, and using the same scales, you have to assess the residual risk for every unacceptable risk identified earlier during risk assessment. So, for instance, if you had identified a consequence of level 4 and likelihood of level 5 during your risk assessment (which would mean risk of 9 by the method of addition), your residual risk may be 5 if you assessed that the consequence would lower to 3 and likelihood to 2 due to, e.g., safeguards you planned to implement.

    Be creative!

    When considering these options, and particularly safeguards that involve an investment in technology, please beware of the following: very often the first idea that comes to mind will be the most expensive – therefore, think hard before you purchase some expensive new system. Sometimes alternatives will exist that will be equally effective, but with lower cost. Also, be aware that most of the risks exist because of human behavior, not because of machines – therefore, it is questionable whether a machine is the solution to such a problem.

    In other words, this is where you need to get creative – you need to figure out how to decrease the risks with minimum investment. It would be the easiest if your budget was unlimited, but that is never going to happen. And, I must tell you that unfortunately, your management is right – it is possible to achieve the same result with less money – you only need to be clever enough to come up with a solution.

    To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.