ISO 27001 is designed to help organisations identify the right approach to take when managing risks.
You can’t apply defences to every threat you face, because that would be impractical and prohibitively expensive, so you need to determine when mitigation is the right strategy and when other risks can be dealt with a better way.
The Standard outlines four options for addressing risks. We explain each of them in this blog and the circumstances under which they might be appropriate.
1. Modify the risk
‘Modifying’ is the technical term that ISO 27001 uses to mean applying a control that changes the level of the risk.
It gets this name because the organisation is implementing a measure that makes the risk less damaging or less likely to happen.
Controls can be technologies, processes or policies. For example, you might want to tackle the threat of malware by installing antivirus software, or reduce the risk of phishing attacks by enrolling your employees on a cyber security staff awareness course.
Similarly, you might want to address the threat of internal error and accidental data breaches by implementing a policy that instructs employees on how to handle sensitive information securely.
You can apply multiple controls to the same risk, but remember that each control you implement will take time, cost money and will need to be reviewed on a regular basis to make sure it’s working as intended.
Modifying the risk is therefore likely to be the most burdensome option, but it also enables you to continue your day-to-day operations in a relatively unchanged way.
2. Avoid the risk
As the name suggests, avoiding the risk means stopping any activity that creates it. This response will be appropriate if the threat is simply too big to manage with a security control, or you don’t have the resources to apply it.
For example, to tackle the threat of cyber attackers targeting remote workers, your best option would be to provide work-issued laptops that your IT team can monitor.
However, if you’re unable to provide laptops for everyone, you might decide it’s in your best interest to limit the number of people who are permitted to work from home. This will probably frustrate some employees, but cyber security is always about balancing responsibility and convenience, and there will always be tough choices.
3. Share the risk
A problem shared is a problem halved, as the saying goes, and this is somewhat true when it comes to cyber threats. Many organisations use third parties to help them complete processes that can’t be avoided but that the organisation can’t tackle on its own.
There are two ways an organisation can do this. First, they can outsource the security efforts to a specialist organisation. One of the most common examples of this relates to penetration testing.
All organisations must regularly test their systems for vulnerabilities that could be exploited by cyber criminals, but this task can’t be performed by just anyone. It requires penetration training expertise, so organisations will need to hire someone to do the job.
The second way you can share a risk is by purchasing cyber insurance. This won’t mitigate the likelihood of a breach, but it will lessen the damage. That’s because you’ll receive the necessary funds to respond appropriately – such as by enacting your business continuity plan or hiring forensic experts to investigate the breach.
4. Retain the risk
The final option is also the simplest: organisations can decide that preventative measures are more expensive or inconvenient than if the risk came to pass. As such, they will take no action to address it.
This will typically be the case when the threat will cause almost damage or it is so unlikely to occur that it’s not worth your time planning for.
The types of risks that can be retained will vary depending on the organisation, because what’s considered a minor threat to one business may be more significant to another.
Accelerate your risk assessment process
Completing a risk assessment in line with the requirements of ISO 27001 can seem daunting, so why not make the process easier with vsRisk Cloud, an online risk assessment that helps you get repeatable, consistent results year after year?
Its integrated risk, vulnerability and threat database eliminates the need to compile a list of risks, and the built-in controls helps you comply with multiple frameworks, including the GDPR (General Data Protection Regulation).