One of the core principles of ISO 27001 is that the information security measures you adopt must be relevant to the threats your organisation faces.
Every business is unique – in its structure, the types of information it processes and the way it operates – so its approach to data protection must reflect that.
That means conducting a risk assessment to determine where your weaknesses are, how likely it is that those weaknesses will be exploited and the impact each one will cause.
You can perform this assessment in one of two ways, either by focusing on assets (the information and locations that may be breached) or scenarios (the circumstances that can result in a breach).
Most organisations lean towards asset-based assessments, which is what we will be looking at in this blog.
Where to start with an asset-based risk assessment
The first step is to produce an asset register – i.e. a list of hardware, software, devices and databases on which sensitive information is stored.
You can do this by interviewing asset owners. They are the individual or entity responsible for controlling the production, development, maintenance, use and security of an information asset.
Although ISO 27001 places a strong emphasis on the ‘risk owner’, which pushes risk responsibility to a higher level within the organisation, the asset owner is the logical starting point when compiling an asset register.
Risk assessment and impact determination
Once the asset register has been produced, the next step is to identify potential threats and vulnerabilities that could pose risks to those assets. A vulnerability is a weakness that can be exploited by one or more threats.
Once threats and vulnerabilities have been identified, the risks should be analysed to establish the damage that they can cause. This needs to consider how the confidentiality, integrity and availability of data can be affected by each risk.
A key part of the risk assessment involves scoring risks based on the likelihood that they will occur and the damage they will cause.
You should also consider the business, legal, contractual and regulatory implications of risks, including the cost of replacing the asset, the potential loss of income, fines and reputational damage.
Once you’ve scored your risks, you can determine whether they pose a significant enough threat to be addressed. The best way to do this is through a risk matrix, which is a visual aid for assessing the likelihood and impact of each risk.
The risk matrix provides a simple mechanism for determining whether risks should be addressed.
ISO 27005 – another standard in the series dealing specifically with risk management – offers a structured, systematic and rigorous process for analysing risks and creating the risk treatment plan.
As with ISO 27001, there isn’t a specific, prescribed approach to risk management. This is because organisations have their own challenges and must tackle them in a way that suits them.
However, it does include four options for the way you can treat each risk. You can:
- Modify the risk by implementing a control to reduce the likelihood of it occurring
For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
- Avoid the risk by ceasing any activity that creates it
This response is appropriate if the risk is too big to manage with a security control.
For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them off-site.
This option will make things less convenient for your employees but will drastically improve your security posture.
- Share the risk with a third party
There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster.
Neither option is ideal, because you are ultimately responsible for your organisation’s security. Nonetheless, they might be the best solutions if you lack the resources to tackle the risk.
- Retain the risk
This means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.
The method you choose depends on your circumstances. Avoiding the risk is the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible.
For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.
Getting started with your risk assessment
Our whitepaper 5 critical steps to successful ISO 27001 risk assessments contains an in-depth explanation of everything you need to complete the risk assessment process.
It provides essential guidance on:
- How to determine the optimum risk scale so you can determine the impact and likelihood of risks;
- How to systematically go about identifying, evaluating and analysing risks without losing your mind;
- The baseline security criteria you must establish for a successful ISO 27001 implementation.
A version of this blog was originally published on the 1 November 2018.