Clause 6 of ISO 27001 is one of the most important aspects for compliance, as it covers the actions you must take to address information security risks.
Everything else you do to meet the Standard’s requirements informs or revolves around the steps you take here. Mistakes at this stage could mean that the controls you implement will be misguided, leaving security gaps that undermine your information security.
Clause 6.1.1: Planning
The first part of the process involves laying out the groundwork. You need to ensure that the ISMS (information security management system) can achieve its intended outcomes (which should be defined as part of your work conforming with Clause 4), while also preventing or reducing undesired side effects.
You should also use this opportunity to make sure that you’re able to continually improve the ISMS through regular reviews. You can do this by documenting the process for identifying, assessing and treating risks.
Clause 6.1.2: Risk assessment
The next step is to define and apply your risk assessment methodology. According to Clause 6.1.2 of the Standard, the risk assessment must:
- Establish and maintain certain information security risk criteria;
- Ensure that repeated risk assessments “produce consistent, valid and comparable results”;
- “Identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”;
- Identify the owners of those risks; and
- Analyse and evaluate information security risks according to certain criteria.
Organisations must also “retain documented information about the information security risk assessment process”, both so they can demonstrate that they comply with these requirements and so they can ensure the process is followed consistently and correctly.
You can learn about the ins and outs of this process by downloading our free guide: 5 critical steps to successful ISO 27001 risk assessments.
It explains how to determine the impact and likelihood of risks, as well as how to identify and analyse them.
Clause 6.1.3: Risk treatment
Risk treatment is simply the way you choose to address the threat. While there are a number of ways you might do this, they often boil down to the following:
- Terminating the risk by changing your processes to stop the risky behaviour.
- Treating the risk by applying a security control to minimise the likelihood of it occurring or the impact it will have.
- Transferring the risk by purchasing cyber insurance or outsourcing the process, for example.
- Tolerating the risk if the problem isn’t serious enough to justify using resources to tackle it or the process cannot be avoided.
As part of this process, you should also complete an SoA (Statement of Applicability), in which you list the information controls that you’ve selected to treat identified risks and explain why you’ve not selected any risks that have been omitted.
Another mandatory report is the RTP (risk treatment plan), which provides a summary of each of the identified risks, the responses that have been designed for each risk, the parties responsible for those risks and the target date for applying the risk treatment.
Risk management made easy
ISO 27001’s risk management process can seem daunting, and that’s why Vigilant Software is here to help.
Our all-in-one risk management platform vsRisk delivers simple, fast and accurate risk assessments, and helps you produce supporting documentation, such as the risk treatment plan and Statement of Applicability.
With vsRisk, you don’t need to spend time developing a risk assessment methodology or on costly trial and error: you can immediately get to work on the assessment.
Save time maintaining your risk assessment with vsRisk. Its robust methodology means that risk reviews and further risk assessments can be performed quickly, consistently and cost-effectively.