ISO 27001 risk assessment & treatment – 6 basic steps
Risk assessment (often called risk analysis) is probably the most complex part of ISO 27001 implementation; but at the same time risk assessment (and treatment) is the most important step at the beginning of your information security project – it sets the foundations for information security in your company.
The question is – why is it so important? The answer is quite simple although not understood by many people: the main philosophy of ISO 27001 is to find out which incidents could occur (i.e. assess the risks) and then find the most appropriate ways to avoid such incidents (i.e. treat the risks). Not only this, you also have to assess the importance of each risk so that you can focus on the most important ones.
Although risk assessment and treatment (together: risk management) is a complex job, it is very often unnecessarily mystified. These 6 basic steps will shed light on what you have to do:
1. ISO 27001 risk assessment methodology
This is the first step on your voyage through risk management. You need to define rules on how you are going to perform the risk management because you want your whole organization to do it the same way – the biggest problem with risk assessment happens if different parts of the organization perform it in a different way. Therefore, you need to define whether you want qualitative or quantitative risk assessment, which scales you will use for qualitative assessment, what will be the acceptable level of risk, etc.
2. Risk assessment implementation
Once you know the rules, you can start finding out which potential problems could happen to you – you need to list all your assets, then threats and vulnerabilities related to those assets, assess the impact and likelihood for each combination of assets/threats/vulnerabilities and finally calculate the level of risk.
In my experience, companies are usually aware of only 30% of their risks. Therefore, you’ll probably find this kind of exercise quite revealing – when you are finished you’ll start to appreciate the effort you’ve made.
3. Risk treatment implementation
Of course, not all risks are created equal – you have to focus on the most important ones, so-called ‘unacceptable risks’.
There are four options you can choose from to mitigate each unacceptable risk:
- Apply security controls from Annex A to decrease the risks – see this article ISO 27001 Annex A controls.
- Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
- Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
- Accept the risk – if, for instance, the cost for mitigating that risk would be higher that the damage itself.
This is where you need to get creative – how to decrease the risks with minimum investment. It would be the easiest if your budget was unlimited, but that is never going to happen. And I must tell you that unfortunately your management is right – it is possible to achieve the same result with less money – you only need to figure out how.
4. ISMS Risk Assessment Report
Unlike previous steps, this one is quite boring – you need to document everything you’ve done so far. Not only for the auditors, but you may want to check yourself these results in a year or two.
5. Statement of Applicability
This document actually shows the security profile of your company – based on the results of the risk treatment you need to list all the controls you have implemented, why you have implemented them and how. This document is also very important because the certification auditor will use it as the main guideline for the audit.
For details about this document, see article The importance of Statement of Applicability for ISO 27001.
6. Risk Treatment Plan
This is the step where you have to move from theory to practice. Let’s be frank – all up to now this whole risk management job was purely theoretical, but now it’s time to show some concrete results.
This is the purpose of Risk Treatment Plan – to define exactly who is going to implement each control, in which timeframe, with which budget, etc. I would prefer to call this document ‘Implementation Plan’ or ‘Action Plan’, but let’s stick to the terminology used in ISO 27001.
Once you’ve written this document, it is crucial to get your management approval because it will take considerable time and effort (and money) to implement all the controls that you have planned here. And without their commitment you won’t get any of these.
And this is it – you’ve started your journey from not knowing how to setup your information security all the way to having a very clear picture of what you need to implement. The point is – ISO 27001 forces you to make this journey in a systematic way.
P.S. ISO 27005 – how can it help you?
ISO/IEC 27005 is a standard dedicated solely to information security risk management – it is very helpful if you want to get a deeper insight into information security risk assessment and treatment – that is, if you want to work as a consultant or perhaps as an information security / risk manager on a permanent basis. However, if you’re just looking to do risk assessment once a year, that standard is probably not necessary for you.
Download this free material to learn more: Diagram of ISO 27001:2013 Risk Assessment and Treatment process.