Risk assessments are at the heart of organisation’s information security practices, as they help identify relevant threats and the most appropriate way of dealing with them.
But what should the process look like? ISO 27001, the international standard for information security, has the answers.
ISO 27001 risk assessments
Clause 6 of ISO 27001 provides comprehensive guidance on how to complete an information security risk assessment, breaking the process into five steps:
- Establish a risk management framework
There’s no set framework that you should use for completing a risk assessment, but there are certain issues that you must address. These are your baseline security criteria, risk scale, risk appetite and whether you’re determining risks based on certain scenarios or taking each asset on its own merits.
Addressing these issues ensures that the risk assessment is tailored to your organisation. Every organisation faces its own threats and has its own priorities, and it’s only be determining how risks will affect you that you can be sure that the risk assessment will give you the answers you need.
- Identify risks
The next step is to determine all the ways that sensitive data could be breached.
If you’ve opted for a scenario-based risk assessment, you’ll start by creating a list of ways that security incidents might occur and then follow the damage through your organisation, highlighting vulnerable parts of your organisations.
An asset-based risk assessment takes the opposite approach. You begin with a list of assets – such as digital files, databases and physical documents – and outline all the ways they could be compromised.
- Analyse risks
This part of the process involves breaking the threats you’ve found into specific details. For example, if the threat is ‘theft of a mobile device’, then the vulnerability is ‘lack of a formal policy on mobile devices’.
- Evaluate risks
Now it’s time to assess how significant each risk is, which you can do by assigning a score to how likely the risk is to occur and the amount of damage it will cause.
The reason for doing this is to determine the risks you should prioritise and those that aren’t significant enough to address. After all, if a threat is unlikely to occur and won’t cause much damage, then there’s little point investing resources to tackle the threat.
- Select risk treatment options
There are several ways you can treat a risk:
- Terminate the the risk by eliminating it entirely
- Treat the risk by implementing measures to mitigate the risk
- Transfer the risk to a third party (by outsourcing it or purchasing cyber insurance, for example)
- Tolerate the risk (if it falls within an acceptable risk level)
Where to get started
Do you want to simplify the risk assessment process? Our vsRisk Cloud software provides a simple and fast way to identify relevant threats and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Additionally, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.
A version of this blog was originally published on 11 April 2019.