Organisations that are looking to improve their information security posture are probably familiar with ISO 27001. It’s the international standard that describes best practice for an ISMS (information security management system), and it provides a framework for implementing appropriate processes and technologies.
At the heart of ISO 27001 is the risk assessment, which identifies the likelihood of a threat occurring and the damage that it could cause.
Just as importantly, it helps organisations understand their information security priorities. You won’t be able to address every risk you face; there will simply be too many, and it will either be too expensive or too impractical to adopt adequate defences.
That’s why the ISO 27001 risk assessment instructs organisations to create a ‘risk score’ to compare risks, and to establish risk acceptance criteria – in other words, a way of assessing the point at which the threat is low enough that it doesn’t need to be addressed.
With this in mind, you can see why it is important that organisations are able to assign impact and likelihood values when conducting their risk assessment. In the next section, we look at how you can do that.
Confidentiality, integrity and availability
When assessing risks, organisations should look at each of the three pillars of information security: confidentiality, integrity and availability.
Confidentiality refers to an organisation’s ability to limit who can view its sensitive assets – whether that’s digital data, paper records or assets. In other words, how easy is it for unauthorised individuals to access this information?
Meanwhile, data integrity refers to the completeness and accuracy of information. Is anyone able to make unauthorised changes to the organisation’s records – either amending data or deleting it?
Availability refers to the organisation’s ability to access the information when needed. If cyber attackers encrypt your files, for example, the information is not available. Likewise, if records are lost or misplaced and you don’t have backups, the availability of the data is compromised.
Asset-based risk assessments require organisations to consider the different ways in which confidentiality, integrity and availability of information is compromised for each threat.
Establishing levels of risk impact and likelihood
Levels of impact and likelihood must be set for individual assets at the asset identification stage. These scales should be agreed with the organisation’s governance team prior to embarking on the risk assessment. The risk acceptance criteria should also be determined in the same manner.
The impact scales could be anything that you deem appropriate for quantifying the consequence of the risk. For some organisations, this means estimating a financial cost associated with the incident.
To explain how that might work, let’s look at a data breach involving management laptops as an example. In this scenario, the organisation’s risk score of one correlates to costs of £50,000 or less, with the scale increasing all the way to five, which correlates to costs in excess of £1 million.
A data breach of management laptops would probably have an impact value of two. Information stored on management laptops can often be sensitive in nature, but the organisation should be made aware of the incident promptly, which will limit the time with which the information is exposed.
For both the availability and integrity of data, the impact in the example should be set at ‘one’ (less than £50,000). The reason for this is that organisations should have a strong network architecture, a configuration management database that includes all the company’s asset information, and a frequent data back-up process.
Once the impact values have been assigned, the risk assessor can identify the various risks (or threats and vulnerabilities) to the asset, and the effects it will have on the confidentiality, integrity and availability of information.
From there, they can select controls that will reduce the risk to an acceptable level (below the risk acceptance threshold).
Although the impact values for the asset (management laptops) will already been set during the initial asset identification stage, they do not need to be rigid. The impact values for each asset can be adjusted to suit the particular risk to account for specific incidents or risks.
The same process should be repeated for assigning likelihood values to the asset. In the example used, level ‘one’ implies a likelihood of the risk occurring no more frequently than once every ten years, whereas a ‘five’ suggests a likelihood of it occurring at least once per year.
Unlike impact, likelihood does not change for each of the confidentiality, availability and integrity elements of the asset. This is because the likelihood of the risk occurring does not change (the risk will occur regardless of these elements), but the damage it can do varies according to each of the CIA elements.
Performing an ISO 27001 risk assessment
You can get started with your ISO 27001 risk assessment with the help of Vigilant Software.
Our risk assessment tool vsRisk provides a simple and fast way to deliver repeatable, consistent assessments year after year. Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.
We’re currently offering a free 30-day trial of vsRisk. Simply add the number of licenses you require to your basket and proceed to the checkout.
A version of this blog was originally published on 11 November 2014.