ISO 27001 is heavily focused on risk-based planning. This is to ensure that identified information risks are appropriately managed according to threats and the nature of these threats.
Under ISO 27001:2013, an organisation must choose the relevant risk assessment methodology. Although not a requirement of the Standard, asset-based risk assessments are widely regarded as best practice as they present a thorough and comprehensive approach to conducting risk assessments.
Where to start with an asset-based risk assessment
The first step is to produce an asset register, which can be done through interviews with asset owners. The ‘asset owner’ is the individual or entity responsible for controlling the production, development, maintenance, use and security of an information asset.
Although ISO 27001:2013 places strong emphasis on the role of the ‘risk owner’, which pushes risk responsibility to a higher level within the organisation, the asset owner is the logical starting point when compiling an asset register.
Once the asset register has been produced, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability is a weakness that can be exploited by one or more threats.
Images – Creating a risk assessment
Risk assessment and impact determination
Once threats and vulnerabilities have been identified, the risks should be analysed to establish their impact level. This needs to consider how the confidentiality, integrity and availability of data can be affected by each risk.
It should also consider the business, legal, contractual and regulatory implications of risks, including the cost of replacing the asset, the potential loss of income, fines and reputational damage.
ISO 27005 offers a structured, systematic and rigorous process for analysing risks and creating the risk treatment plan, and includes a list of known threats and vulnerabilities that can be used to establish the risks your information assets are exposed to.
Benefit from vsRisk Cloud
vsRisk Cloud provides a simple framework and process to follow when undertaking information security risk assessments. It minimises the hassle and complexity, and saves valuable time and resources. Furthermore, the risk assessment can be repeated easily in a standard format year after year.
The tool generates two reports that can be exported and edited, and includes pre-populated databases of threats and vulnerabilities as well as seven different control sets that can be applied to treat risks.
Want to learn more about vsRisk Cloud?
View our short introductory video here.
For further information and to sign up for a demo, please click here.