How to survive an ISO 27001 risk assessment

SurviveThe ISO 27001 standard is increasingly seen as the benchmark for information security management. It’s also the only standard that takes an integrated approach to information security by addressing people, processes and technology, which is why it is now accepted in most countries as a de facto framework for information security implementation.

Recently, NIST cited ISO/IEC 27001 as an important standard within its National Cybersecurity Framework, making it even more important for companies with American interests and US-based businesses that are responsible for the protection of critical infrastructure.

Rolling out ISO 27001 requires a company to undertake information security risk assessments. This is to ensure that the information security controls being implemented are appropriate for the type of information that is being stored, processed or transmitted.

The current best-practice approach for undertaking an information security risk assessment includes the following:

1.Establish a risk assessment framework

The framework defines aspects such as your organisation’s risk appetite and culture, the risk scales you plan to use, and the methodology you plan to follow when assessing information security risks.


2. Identify the risks 

This is probably the most difficult and time-consuming part of the process. Those following an asset-based risk assessment may find it faster by working down an asset register, and, in so doing, identifying all the risks that may affect their information assets. It also helps to have access to a library of threats and vulnerabilities (risks) that may affect your organisation.


3. Analyse and evaluate the risks

Analysing and evaluating the risks involves a process of assigning specific values to determine the likelihood and organisational impact of the different risks, and to establish how these fit in with your risk acceptance threshold. You should be able to determine which of the risks are high priorities requiring urgent action, and which are at an acceptable level.


4. Select the risk treatment options (controls)

Once you have determined the risks, the next step is to determine whether you want to treat, tolerate, terminate or transfer the risk. Treating the risk is done by applying appropriate information security controls. It is useful if you have access to the ISO 27001:2013 controls – even more so if you can work from a template with built-in ISO 27001-compliant policies and procedures for each of the specified controls.


5. Review, report and maintain

An important aspect of conducting a risk assessment for ISO 27001 compliance is, naturally, to produce a set of reports that show what your risks are, what is being done to treat them, the timescales for control implementation and several other actions. Two important documents required by ISO 27001 are the Statement of Applicability (SoA) and the risk treatment plan.


Fortunately, vsRisk™ is the risk assessment software that will help you do all of the above – and more – at a price that won’t break the bank.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.