This is the first in a series of articles focusing on conducting information security risk assessments.
The risk assessment is a significant and time consuming element of implementing an information security management system (ISMS). Choosing the correct risk assessment methodology is essential in order to define the rules by which you will perform the risk assessment. This is a critical step to standardise the assessment approach across the organisation – one of the big problems with risk assessments happen when different parts of the organisation use different approaches.
A risk assessment should provide the organisation – particularly its board and management – with an assurance that all relevant risks have been taken into account, and that there is a commonly defined and understood means of communicating and acting on the results of the risk assessment1.
Risk assessments and ISO27001
The international standard for information security, ISO27001, does not prescribe a specific risk assessment methodology, but it does require the risk assessment to be a formal process. This implies that the process must be planned, and the data, analysis and results must be recorded.
ISO27001:2013 also states that repeated information security risk assessments must produce consistent, valid and comparable results. Therefore, your chosen risk assessment methodology must be consistent in order to produce repeatable and comparable results.
In the past, the 2005 version of the standard required an asset-based assessment, which involves a detailed analysis of the threats and vulnerabilities that could affect each asset. In the new version of the standard, however, an asset-based methodology is no longer mandated. This means that risks can be analysed independently of any specific asset, in the form of a range of risk scenarios, for instance.
What is risk?
Risk is a function of likelihood and impact. The most commonly used equation to calculate risk is Risk = Likelihood x Impact. There are other calculations, such as Risk = Impact + Likelihood – 1.
Qualitative versus quantitative risks
A quantitative risk assessment uses data that can be assigned a defined value, while a qualitative one primarily uses statements about the subject. A qualitative approach is by far the most widely used for risk analysis, and meets the requirements of ISO27001. In order to ensure that risks are comparable and reproducible, the bands or scales (e.g. low, medium, high) must be defined so that what one person judges a medium impact can be demonstrated as comparable to a medium impact in another person’s assessment1.
A benefit of qualitative risk assessments is that it recognises that there is a subjective aspect to the exercise. It also accepts that, in assessing and controlling the risks, it is preferable to be ‘approximately correct’, rather than ‘precisely wrong’1.
There are numerous types of risk assessment methodologies, such as the following examples listed below:
- NIST’s SP 800-30 Risk Management Guide for Information Technology Systems
- ISO 27005:2011 – Information Security Risk Management Standard
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
- ISO 31000:2009, Risk management – Principles and guidelines (for Enterprise-wide Risk Management)
- IRAM – Information Risk Analysis Methodology
vsRisk™, the industry leading information security risk management software, includes a built-in methodology for conducting risk assessments. Aligned to ISO27005, and enabling compliance with ISO27001, vsRisk provides the framework and tools for completing an information security risk assessment quickly, in a few simple steps.