ISO 27001 focuses heavily on asset-based planning. This ensures that the information security measures you adopt are appropriate to the threats you face – both in practicality and scale.
There is no point implementing controls if what their protecting against is unlikely to be an issue. For example, securing all physical premises when sensitive information is only held in select places.
Likewise, asset-based planning guarantees that you are investing your resources wisely, with more of your budget going on priority risks.
Let’s take a look at how you can conduct an asset-based risk assessment with ISO 27001.
Where to start with an asset-based risk assessment
Under ISO 27001, organisations must choose the relevant risk assessment methodology. Although you don’t have to choose an asset-based approach, it’s widely regarded as best practice.
If you follow this route, the first step is to produce an asset register, which can be done through interviews with asset owners.
The ‘asset owner’ is the individual or entity responsible for controlling the production, development, maintenance, use and security of an information asset.
Although ISO 27001 places strong emphasis on the role of the ‘risk owner’, which pushes risk responsibility to a higher level within the organisation, the asset owner is the logical starting point when compiling an asset register.
Risk assessment and impact determination
Once the asset register has been produced, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability is a weakness that can be exploited by one or more threats.
Once threats and vulnerabilities have been identified, the risks should be analysed to establish their impact level. This needs to consider how the confidentiality, integrity and availability of data can be affected by each risk.
A key part of the risk assessment involves scoring risks based on the likelihood that they will occur and the damage they will cause.
You should also consider the business, legal, contractual and regulatory implications of risks, including the cost of replacing the asset, the potential loss of income, fines and reputational damage.
Once you’ve scored your risks, you can determine whether they pose a serious enough threat to be addressed. The best way to do this is through a risk matrix, which is a visual aid for assessing the likelihood and impact of each risk.
The risk matrix provides a simple mechanism for determining whether risks should be addressed.
ISO 27005, another standard in the series – dealing specifically with risk management – offers a structured, systematic and rigorous process for analysing risks and creating the risk treatment plan.
As with every standard in the ISO 27000 series, ISO 27005 doesn’t prescribe a specific approach to risk management.
This is because organisations have their own challenges and must tackle them in a way that suits them.
However, it does include four options for the way you can treat each risk. You can:
- Modify the riskby implementing a control to reduce the likelihood of it occurring
For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
- Avoid the riskby ceasing any activity that creates it
This response is appropriate if the risk is too big to manage with a security control.
For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them off-site.
This option will make things less convenient for your employees but will drastically improve your security posture.
- Share the risk with a third party
There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster.
Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
- Retain the risk
This means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.
The method you choose depends on your circumstances. Avoiding the risk is the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible.
For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.
What should you do next?
Our whitepaper 5 critical steps to successful ISO 27001 risk assessments contains an in-depth explanation of everything you need to complete the risk assessment process.
By reading this free guide, you’ll learn:
- How to determine the optimum risk scale so you can determine the impact & likelihood of risks;
- How to systematically go about identifying, evaluating and analysing risks without losing your mind;
- The baseline security criteria you must establish for a successful ISO 27001 implementation.
A version of this blog was originally published on the 1 November 2018.