The recently published ISO 27001 Global Report 2015 revealed that 30% of the information security professionals surveyed consider conducting information security risk assessment a top challenge when implementing ISO 27001, the information security standard.
This is hardly surprising given the complexity of a risk assessment that needs to take into account the organisation’s assets, identify threats and vulnerabilities that pose risks to assets, and determine risk mitigation activities. The risk assessment process sits at the core of ISO 27001. The accuracy of the risk assessment is critical, as its outcome drives information security management decisions and has a significant impact on the effectiveness of the ISMS.
Asset-based risk assessment is the most common risk methodology
The risk assessment requirements of ISO 27001:2013 are less prescriptive than those of the 2005 version. ISO 27001 no longer mandates an asset-based information security risk methodology, but provides more flexibility in the method that organisations can apply.
Despite this, the ISO 27001 Global Report 2015 found that asset-based risk assessment is the most common risk methodology, with 31% of participants following this methodology.
Of this 31%, 20% of respondents stated that their risk assessment methodology has historically been and will continue to be asset-based, while 11% indicated that it is a new initiative and will be asset-based. In addition:
- 16% of respondents state that they are yet to consider options for the future.
- 19% have not yet decided as they are in the early stages of implementation.
- 10% are moving from an asset-based to an alternative methodology that will blend asset- and scenario-based approaches.
- 10% will be deploying neither purely asset-based nor purely scenario-based risk assessment methodologies.
- 8% of respondents have been performing asset-based risk assessments, but are planning to change to a scenario-based methodology.
- 6% will use a scenario-based approach.
Overall, the asset-based assessment methodology remains popular, with most organisations planning to use either an asset-based approach, or a blend of asset- and scenario-based approaches.
The security controls provided in ISO 27001:2013 are the most popular
77% of respondents have selected or will select their security controls from Annex A of ISO 27001:2013, compared to 19% who favour the controls from Annex A of ISO 27001:2005. 21% have selected or will select their security controls from the PCI DSS and 4% from CCM v3.
The selection of controls is a core element of ISO 27001. The Standard requires an organisation to determine the information security processes and controls that need to be monitored and measured in order to evaluate the performance and effectiveness of the ISMS. The selection of the necessary controls is determined by the outcome of the risk assessment and the risk treatment plan.
Using an information security risk assessment tool
If you have been tasked with conducting an information security risk assessment, consider using a sophisticated tool that will reduce the time it takes and the complexity of the task while saving you hundreds of pounds on consultancy fees.
vsRisk, the leading information security risk assessment software, offers a choice of no less than seven control sets, including PCI DSS v3, NIST SP 800-53 and the Cloud Controls Matrix, in addition to ISO 27001 (2005 and 2013), Cyber Essentials and ISO 27032. It simplifies the risk assessment process by providing a smart and streamlined solution.
It also introduces a sample risk assessment and delivers ISO 27001-compliant documents.
Find out how vsRisk can help you with your risk assessments.