For all the attention that organisations pay to their ISO 27001 risk assessment, it’s worth remembering that there’s an additional step afterwards – risk treatment.
This is where you take the risks that you’ve identified and decide how to deal with them. There are several available options, and the appropriate one will depend on the probability of the risk occurring and the damage it will cause.
In this blog, we take a closer look at each risk treatment option and the scenarios where they might apply.
What are the ISO 27001 risk treatment controls?
There are four ways organisations can treat risks:
- Decrease the risk
Decreasing the risk means you are making it either less likely to occur or less damaging when it does occur.
Organisations do this by applying relevant controls from Annex A of ISO 27001 (or elsewhere, if they are applicable).
For example, if an organisation’s servers are in the basement and the risk assessment team are worried about water damage, they may recommend moving the servers to another part of the building.
Alternatively, they could suggest making infrastructural repairs to the basement to better protect it from leaks.
Another possibility is to create backup servers should the primary ones fail. Unlike the other controls we’ve outlined, this doesn’t decrease the possibility of the threat occurring but it does mitigate the potential damage.
In this scenario, the organisation may decide to implement multiple controls tackling both likelihood and damage depending on whether it deems the risk high-priority.
- Avoid the risk
This is the most severe of the four risk treatment options, and requires organisations to stop performing any tasks or processes that pose a risk.
It applies when risks are too significant to be mitigated by any other available option, or if ceasing the activity won’t cause a substantial problem.
For example, if an organisation is worried about employees breaching sensitive information stored on laptops while off premises, it may decide to simply not offer laptops to employees.
This is an acceptable solution if your employees are office-based and aren’t required to work on the go, but it should be avoided if the ban on laptops disrupts employees’ productivity.
One way to ease the disruption caused by avoiding risks is to replace the task or process with another, less risky option.
In this example, you may implement or extend your use of the Cloud, which would mean employees aren’t limited to one desktop computer – an option that would be appealing to organisations that hot desk.
- Share the risk
This option means you transfer the risk – either partly or wholly – to another party.
Often, this means purchasing an insurance policy that protects you from a range of threats, such as fires and natural weather events. You may also buy a dedicated cyber insurance policy to protect you from data breaches and other security incidents.
Although sharing the risk gives you financial assurances related to cyber threats, it doesn’t have a direct effect on the risk itself.
In other words, the threat is just as likely to occur and will still cause damage, even if you will get support in dealing with it.
As such, sharing the risk shouldn’t be considered an adequate control on its own, and in fact insurance companies will probably require you to demonstrate that you’re taking other steps to control the risk.
- Retain the risk
The final risk treatment option, retaining the risk, means that you accept the risk without doing anything to address it.
It applies to risks that will cost more in time and resources to address than if they occurred. This will be the case if you are confident that the risk won’t materialise or if it won’t cause meaningful damage.
Retaining the risk is generally the least desirable control, because there is normally something you can do about it, even if will have a limited effect.
Risk treatment support from Vigilant Software
Those looking for help completing the risk assessment and risk treatment process should take a look at our software package vsRisk.
Fully aligned with ISO 27001, vsRisk can generate six audit-ready reports, including the risk treatment plan and the Statement of Applicability.
It is proven to simplify and speed up the risk assessment process, providing you everything you need to deliver repeatable, consistent assessments year after year.