One of the core principles of ISO 27001 is that the information security measures you adopt must be relevant to the threats your organisation faces.
Every business is unique – in its structure, the types of information it processes and the way it operates – so its approach to data protection must reflect that.
That means conducting a risk assessment to determine where your weaknesses are, how likely it is that they will be exploited and the impact each one will cause.
You can perform this assessment in one of two ways, either by focusing on assets (the information and locations that may be breached) or scenarios (the circumstances that can result in a breach).
Most organisations lean towards asset-based assessments, which is what we’ll be looking at in this blog.
The first step is to produce an asset register – i.e. a list of hardware, software, devices and databases on which sensitive information is stored.
After all, it’s only once you know what needs to be protected that you can determine the threats associated with them and put in place appropriate defences.
An information asset is any piece of information that is of value to the organisation. It can be, for example, a physical or digital file, a disk, a storage device, a laptop or a hard drive.
Creating an asset register
An asset-based risk assessment begins with an asset register. This document specifies all the places where you keep sensitive information.
You can get started with asset identification by interviewing asset owners. They are the individual or entity responsible for controlling an information asset’s production, development, maintenance, use and security.
Although ISO 27001 emphasises the ‘risk owner’, which pushes risk responsibility to a higher level within the organisation, the asset owner is the logical starting point when compiling an asset register.
The asset owner will know how information flows through their department. As such, it will be quicker and less invasive to get each asset owner to provide the necessary information rather compared to getting your implementation or compliance to scour the entire organisation.
If asset owners are unsure what they are responsible for, you should recommend that they list the software that they use, the documents in their folders and filing cabinets, the employees in the department, the equipment in their office, and so on.
You might be able to make their job more manageable if you can access fixed asset registers – such as a list of employees or licensed software. In those cases, you can use those lists so that the asset owner doesn’t have to identify assets solely from memory.
Risk assessment and impact determination
Once the asset register has been produced, the next step is to create an asset risk register to identify potential threats and vulnerabilities that could pose risks to those assets.
A vulnerability is a weakness that can be exploited by one or more threats.
Once threats and vulnerabilities have been identified, the risks should be analysed to establish the damage that they can cause. This needs to consider how the confidentiality, integrity and availability of data can be affected by each risk.
You should also consider the business, legal, contractual and regulatory implications of risks, including the cost of replacing the asset, the potential loss of income, fines and reputational damage.
Once you’ve scored your risks, you can determine whether they pose a significant enough threat to be addressed. The best way to do this is through a risk matrix, which is a visual aid for assessing the likelihood and impact of each risk.
ISO 27005 – another standard in the series dealing specifically with risk management – offers a structured, systematic and rigorous process for analysing risks and creating the risk treatment plan.
As with ISO 27001, there isn’t a specific, prescribed approach to risk management. This is because organisations have their own challenges and must tackle them in a way that suits them.
However, it does include four options for the way you can treat each risk. You can:
- Modify the risk by implementing a control to reduce the likelihood of it occurring
For example, you might address the risk of a work-issued laptop being stolen by creating a policy instructing employees to keep devices with them and to store them safely.
- Avoid the risk by ceasing any activity that creates it
This response is appropriate if the risk is too significant to manage with a security control.
For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them off-site.
This option will make things less convenient for your employees but will drastically improve your security posture.
- Share the risk with a third party
There are two ways you can do this: outsourcing the security efforts to another organisation or purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster.
Neither option is ideal, because you are ultimately responsible for your organisation’s security. Nonetheless, they might be the best solutions if you lack the resources to tackle the risk.
- Retain the risk
This means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.
The method you choose depends on your circumstances. Avoiding the risk is the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible.
For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.
Getting started with your risk assessment
Our free guide 5 critical steps to successful ISO 27001 risk assessments contains an in-depth explanation of everything you need to complete the risk assessment process.
It provides essential advice on:
- How to determine the optimum risk scale so you can determine the impact and likelihood of risks;
- How to systematically go about identifying, evaluating and analysing risks without losing your mind;
- The baseline security criteria you must establish for a successful ISO 27001 implementation.
A version of this blog was originally published on the 1 November 2018.