Learn in small groups from top experts and real-life examples
  • (0)

    ISO 27001 & ISO 22301 Knowledge base

    How to write ISO 27001 risk assessment methodology

    Without a doubt, risk assessment is the most complex step in the ISO 27001 implementation; however, many companies make this step even more difficult by defining the wrong ISO 27001 risk assessment methodology and process (or by not defining the methodology at all).

    What does ISO 27001 really require?

    ISO 27001 requires you to document the whole process of risk assessment (clause 6.1.2), and this is usually done in the document called Risk assessment methodology. Unfortunately, this is where too many companies make the first big mistake: they start implementing the risk assessment without the methodology – in other words, without any clear rules on how to do it. See also this article: ISO 27001 risk assessment & treatment – 6 basic steps.

    There are many myths regarding what the risk assessment should look like, but in reality ISO 27001:2013 requirements are not very difficult – here is what clause 6.1.2 requires:

    1) Define how to identify the risks that could cause the loss of confidentiality, integrity and/or availability of your information

    2) Define how to identify the risk owners

    3) Define criteria for assessing consequences and assessing the likelihood of the risk

    4) Define how the risk will be calculated

    5) Define criteria for accepting risks

    So essentially, you need to define these 5 elements – anything less won’t be enough, but more importantly – anything more is not needed, which means: don’t complicate things too much.

    And yes – you need to ensure that the risk assessment results are consistent – that is, you have to define such methodology that will produce comparable results in all the departments of your company.

    Which options are available?

    Of course, there are many options available for the above 5 elements – here is what you can choose from:

    Risk identification. In the 2005 revision of ISO 27001 the methodology for identification was prescribed: you needed to identify assets, threats and vulnerabilities (see also What has changed in risk assessment in ISO 27001:2013). The current 2013 revision of ISO 27001 does not require such identification, which means you can identify risks based on your processes, based on your departments, using only threats and not vulnerabilities, or any other methodology you like; however, my personal preference is still the good old assets-threats-vulnerabilities method. (See also this list of threats and vulnerabilities.)

    Risk owners. Basically, you should choose a person who is both interested in resolving a risk, and positioned highly enough in the organization to do something about it. See also this article Risk owners vs. asset owners in ISO 27001:2013.

    Assessing consequences and likelihood. You should assess separately the consequences and likelihood for each of your risks; you are completely free to use whichever scales you like – e.g., Low-Medium-High, or 1 to 5, or 1 to 10 – whatever suits you best. Of course, if you want to make it simple, go for Low-Medium-High.

    Method of risk calculation. This is usually done through addition (e.g., 2 + 5 = 7) or through multiplication (e.g., 2 x 5 = 10). If you use scales Low-Medium-High, then this is the same as using scale 1-2-3, so you have numbers again for calculation.

    Criteria for accepting risks.If your method of risk calculation produces values from 2 to 10, then you can decide that an acceptable level of risk is, e.g., 7 – this would mean that only the risks valued at 8, 9 and 10 need treatment. Alternatively, you can examine each individual risk and decide which should be treated or not based on your insight and experience, using no pre-defined values. This article will also help you: Why is residual risk so important?

    Methodology first, everything else afterwards

    So the point is this: you shouldn’t start assessing the risks using some sheet you downloaded somewhere from the Internet – this sheet might be using a methodology that is completely inappropriate for your company. You shouldn’t start using the methodology prescribed by the risk assessment tool you purchased; instead, you should choose the risk assessment tool that fits your methodology. (Or you may decide you don’t need a tool at all, and that you can do it using simple Excel sheets.)

    In any case, you should not start assessing the risks before you adapt the methodology to your specific circumstances and to your needs.

    To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Leading expert on cybersecurity / information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients. As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.