Information Security: Risk Assessment & Treatment
Risk assessment (often called risk analysis) is perhaps the most difficult part of implementing ISO 27001, but at the same time, risk assessment (and its processing) is the most important step at the beginning of your information security project – it establishes the basis for information security in your company.
The question is – why is this so important?
The answer is quite simple, despite the fact that many people don’t understand it: the main philosophy of ISO 27001 is to search for incidents that may occur (i.e. risk assessment) and then identify the most suitable ways to prevent such incidents. And not only that, you must also evaluate the importance of each risk so that you can focus on the most important risks.
Despite the fact that assessment and processing (together with risk management) are complex work, it is often unnecessarily mystified. These 6 basic steps will shed light on what you should do.
- Risk assessment methodology
This is the first step in your risk management journey. You need to determine the rules by which you intend to carry out risk management, as you want to do this the same way throughout the organization – the biggest risk assessment problem arises if different parts of the organization perform risk assessments in different ways. Therefore, you need to determine whether you want to assess risks qualitatively or quantitatively, which scales you will use for a qualitative assessment, what will be an acceptable level of risk, etc.
- Implementation of risk assessment
After you learn the rules, you can begin to determine what potential problems may happen to you – you need to list all your assets, then the threats and vulnerabilities related to these assets, assess the impact and likelihood of each asset / threat / vulnerability set, and ultimately calculate the level of risk.
- Implement risk treatment
Of course, not all identified risks are the same – you should focus on the most important of them, the so-called “unacceptable risks.”
There are 4 options you can choose to neutralize each unacceptable risk:
Using security controls from Appendix A to reduce risks – see this article Security controls from Appendix A of ISO 27001 .
Transfer the risk to another party – for example, to an insurance company by purchasing an insurance policy.
Avoiding risk by terminating activities that are too risky, or by performing it in a completely different form.
Acceptance of risk – if, for example, the cost of reducing this risk may be higher than the damage caused by it.
Here you need to get creative – how to reduce risks with a minimum of investment. It would be very easy if your budget were limitless, but that would never happen. And I must tell you that, unfortunately, your leadership is right – it is possible to achieve the same result with less money – you only need to outline how.ISMS Risk Assessment Report
Unlike the previous steps, in this step – you need to document everything that you have done so far. Not just for auditors, but you might want to check on your results this or next year.
4. Applicability statement
This document actually shows the security profile of your company – based on the results of risk management, you need to list all the security controls you have implemented, why you implemented them and how. This document is also very important because the certification auditor will use it as the main guide in conducting the audit.
5. Risk Management Plan
This is a step where you must move from theory to practice. Let’s be honest – everything until now, all this work on risk management was exclusively theoretical, but now it’s time to show some specific results.
6. This is the goal of the Risk Management Plan – to determine exactly who will implement each security management tool, in what period of time, with what budget, etc. I prefer to call this document “Implementation Plan” or “Action Plan”, but let’s stick to the terminology used in ISO 27001.
Once you have written this document, it will be critical to get its approval from your management, since the implementation of all the security controls that you have planned here will require considerable time and effort. And without their interest you will not achieve any of this.
That’s all – you started your journey of all the ways how to organize your information security to a very clear picture of what you need to do. The fact is that ISO 27001 forces you to make this journey in a systematic manner.