Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021
  • (0)
    ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Knowledge base

    ISO 27001 risk assessment: How to match assets, threats and vulnerabilities

    The 2013 revision of ISO 27001 allows you to identify risks using any methodology you like; however, the old methodology (defined by the old 2005 revision of ISO 27001), which requires identification of assets, threats and vulnerabilities, is still dominating. (See also: What has changed in risk assessment in ISO 27001:2013.)

    So, how do you combine assets, threats and vulnerabilities in order to identify risks?

    How to document the risk identification

    Risk identification is the first half of the risk assessment process, after which comes the evaluation part (assessing the impacts and likelihood) – see the details here: How to write ISO 27001 risk assessment methodology.

    To make your risk assessment easier, you can use a sheet with assets, threats and vulnerabilities in columns; you should also include some other information like risk ID, risk owners, impact and likelihood, etc.

    I found it the easiest to start listing items column by column, not row by row – this means you should list all of your assets first, and only then start finding a couple of threats for each asset, and finally find a couple of vulnerabilities for each threat.

    To learn which types of assets you should take into account, read this article: How to handle Asset register (Asset inventory) according to ISO 27001, and click here to see a catalog of threats and vulnerabilities appropriate for smaller and mid-sized companies.


    Relationship between assets, threats and vulnerabilities

    So, let’s see what this matching of the three components could look like – for example:

    • Asset: paper document:
      • threat: fire; vulnerability: document is not stored in a fire-proof cabinet (risk related to the loss of availability of the information)
      • threat: fire; vulnerability: there is no backup of the document (potential loss of availability)
      • threat: unauthorized access; vulnerability: document is not locked in a cabinet (potential loss of confidentiality)
    • Asset: digital document:
      • threat: disk failure; vulnerability: there is no backup of the document (potential loss of availability)
      • threat: virus; vulnerability: anti-virus program is not properly updated (potential loss of confidentiality, integrity and availability)
      • threat: unauthorized access; vulnerability: access control scheme is not properly defined (potential loss of confidentiality, integrity and availability)
      • threat: unauthorized access; vulnerability: the access was given to too many people (potential loss of confidentiality, integrity and availability)
    • Asset: system administrator:
      • threat: unavailability of this person; vulnerability: there is no replacement for this position (potential loss of availability)
      • threat: frequent errors; vulnerability: lack of training (potential loss of integrity and availability)
      • etc.

    This might seem complicated at first glance, but once you start doing this you’ll see it goes rather quickly. Some people prefer using tools for this kind of work, and I agree this could be a good move for larger companies, but for smaller ones using a tool would only take too much time: When to use tools for ISO 27001/ISO 22301 and when to avoid them.

    How much is enough?

    Very often people ask me – how many risks should they identify? If they start being really thorough, for each asset they could find 10 threats, and for each threat at least 5 vulnerabilities – this is quite realistic, isn’t it?

    Now if you are a small company with 50 assets, this would mean you would end up with 2,500 risks, which would probably be overkill for this size of a company. This is why you should focus only on the most important threats and vulnerabilities, while including all the assets; that would mean that per each asset you should identify on average 5 threats, and for each threat on average 2 vulnerabilities. This way you would end up with 500 risks for a smaller company with 50 assets, which is quite manageable.

    Why is this methodology still good?

    I personally like this assets-threats-vulnerabilities methodology quite a bit – not that I’m nostalgic for the 2005 revision of ISO 27001, but I think this methodology gives a good balance between doing the risk assessment quickly, and at the same time doing it both systematically and detailed enough so that one can pinpoint where the potential security problem is.

    And this is what risk assessment is really about: find out about a potential problem before it actually happens. In other words, ISO 27001 tells you: better safe than sorry.

    To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Dejan Kosutic
    Author
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.