Learn in small groups from top experts and real-life examples
  • (0)

    ISO 27001 & ISO 22301 Knowledge base

    How to assess consequences and likelihood in ISO 27001 risk analysis

    If you’re assessing the information security risks in your company, then identifying assets, threats, and vulnerabilities is only the first half of the job. (See also ISO 27001 risk assessment: How to match assets, threats and vulnerabilities.) The second half of the job, no less important and no less difficult, is to calculate how big the risk is – this is achieved through assessing the consequences (also called the impact) if the risk materializes, and assessing how likely the risk is to happen; with this information, you can easily calculate the level of risk.

    ISO 27001 doesn’t really tell you how to do your risk assessment, but it does tell you that you must assess consequences and likelihood, and determine the level of risk – therefore, it’s up to you to figure out how to do it. You’ll find a couple of approaches in this article: these are my favorites, but there are other ways to do it as well – for more approaches see ISO 27005, the standard that explains information security risk assessment in more detail.

    Note: No matter which approach you select, you have to document it in your risk methodology – see this article for explanation: How to write ISO 27001 risk assessment methodology.

    Simple risk assessment

    There are basically two ways to analyze the risks using the qualitative method – let’s call them simple risk assessment, and detailed risk assessment. (I’ll cover the quantitative method in another article.)

    In simple risk assessment you assess the consequences and the likelihood directly – once you identify the risks, you simply have to use scales to assess separately the consequences and the likelihood of each risk. For example, you can use the scale of 0 to 4, where 0 would be very low, 1 low, 2 medium, and so on, or the scale 1 to 10, or Low-Medium-High, or any other scale. The larger the scale, the more precise the results you will have, but also the more time you will spend performing the assessment.

    So, for example, in simple risk assessment you might have something like this:

    • Asset: laptop
    • Threat: theft
    • Vulnerability: employees do not know how to protect their mobile devices
    • Consequences: 3 (on a scale from 0 to 4)
    • Likelihood: 4 (on a scale from 0 to 4)

    Detailed risk assessment

    In the detailed risk assessment, instead of assessing two elements (consequences and likelihood), you assess three elements: asset value, threat, and vulnerability. So, here’s an example of this detailed risk assessment:

    • Asset: laptop
    • Threat: theft
    • Vulnerability: employees do not know how to protect their mobile devices
    • Asset value: 3 (on a scale from 0 to 4)
    • Threat value: 2 (on a scale from 0 to 2)
    • Vulnerability value: 2 (on a scale from 0 to 2)

    When you think about this more closely, through these three elements in detailed risk assessment, you will indirectly assess the consequences and likelihood: by assessing the asset value, you are simply assessing which kind of damage (i.e., consequence) could happen to this asset if its confidentiality, integrity, or availability is endangered; both threats and vulnerabilities directly influence the likelihood – the higher the threat and the higher the vulnerability, the more likely the risk will happen, and vice versa.

    And basically, this is it – if you’re a smaller company, simple risk assessment will be enough for you; if you’re a mid-size or a larger company, detailed risk assessment will do the job. And you don’t need to add any more elements, because that would only make your job more difficult. See also: How to organize initial risk assessment according to ISO 27001 and ISO 22301.

    Why is evaluating both assets and consequences wrong?

    Very often I see companies implementing simple risk assessment (i.e., they directly assess consequences and likelihood), but they also add the asset value to this assessment.

    Why is this wrong? Because of the simple fact that they already assessed the consequences once, so they don’t need to assess them again through the asset value.

    So, again – don’t try to outsmart yourself and create something complex just because you feel like it.

    How to calculate the level of risk

    Calculating risk is actually very simple – this is usually done through addition (e.g., 2 + 5 = 7) or through multiplication (e.g., 2 x 5 = 10). If you use a Low-Medium-High scale, then this is the same as using 1-2-3, so you still have numbers for calculation.

    So, using the above examples, here is how to calculate the risk using addition:

    • Simple risk assessment: Consequences (3) + Likelihood (4) = Risk (7)
    • Detailed risk assessment: Asset value (3) + Threat value (2) + Vulnerability value (2) = Risk (7)

    In detailed risk assessment, you’ll notice that I used the scale 0 to 4 for assessing the asset value, and smaller scales 0 to 2 for assessing threats and vulnerabilities. This is because the weight of consequence should be the same as the weight of likelihood – since threats and vulnerabilities jointly “represent” the likelihood, their maximum added value is 4, the same as for the asset (i.e., consequence) value.

    After you’ve calculated the risks, you have to evaluate whether they are acceptable or not, and then move on to the next step: the risk treatment. To see all the steps in risk management, read this article: ISO 27001 risk assessment & treatment – 6 basic steps.

    Don’t be a perfectionist

    So, to conclude: risk management in general, but especially risk assessment and risk analysis, may seem like a perfect opportunity to make things complicated – since the requirements of ISO 27001 are rather simplistic, you can add numerous elements in trying to make your approach more “scientific.”

    But, you have to ask yourself one question: is your goal to create a perfect risk assessment that will need to be performed for several months or maybe years (because your employees simply won’t understand what is it all about and will try to avoid you), or is your goal to finish this process in a reasonable timeframe, knowing that it won’t be 100% accurate, but it will at least identify the main risks, and will start your people thinking about the necessity of protecting company information?

    To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Leading expert on cybersecurity / information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients. As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.