Clause 6 of ISO 27001 covers the actions that organisations must take to address information security risks.
It’s one of the most important parts of the Standard, because everything else you do to meet the Standard’s requirements informs or revolves around this step. Asset identification, the risk assessment and risk treatment all culminate with the actions you take to mitigate risks.
Mistakes at this stage could mean that the controls you implement will be misguided, leaving security gaps that undermine your information security.
To ensure you manage risks properly, you must carefully follow each subclause within ISO 27001.
Clause 6.1.1: Planning
The first section of Clause 6 lays out the groundwork for your activities. You must ensure that the ISMS (information security management system) can achieve its intended outcomes (which should be defined as part of your work conforming with Clause 4), while also preventing or reducing undesired side effects.
You should also use this opportunity to make sure that you’re able to continually improve the ISMS through regular reviews. You can do this by documenting the process for identifying, assessing and treating risks.
Clause 6.1.2: Risk assessment
The next step is to define and apply your risk assessment methodology. According to Clause 6.1.2 of the Standard, the risk assessment must:
- Establish and maintain certain information security risk criteria;
- Ensure that repeated risk assessments “produce consistent, valid and comparable results”;
- “Identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”;
- Identify the owners of those risks; and
- Analyse and evaluate information security risks according to certain criteria.
Organisations must also “retain documented information about the information security risk assessment process”, both so they can demonstrate that they comply with these requirements and so they can ensure the process is followed consistently and correctly.
Learn about the ins and outs of this process by downloading ISO 27001 Risk Assessments: Five steps to success.
This free guide explains how to determine the optimum risk scale so that you can determine the impact and likelihood of risks.
You’ll also learn how to systematically identify, evaluate and analyse risks, as well as gaining an insight into your baseline security criteria.
Clause 6.1.3: Risk treatment
Risk treatment is the way you choose to address the threat. While there are several ways you might do this, your options will always be to:
- Terminate the risk by changing your processes to stop the risky behaviour.
- Treat the risk by applying a security control to minimise the likelihood of it occurring or the impact it will have.
- Transfer the risk by purchasing cyber insurance or outsourcing the process, for example.
- Tolerate the risk if the problem isn’t serious enough to justify using resources to tackle it or the process cannot be avoided.
As part of this process, you should also complete an SoA (Statement of Applicability), in which you list the information controls that you’ve selected to treat identified risks and explain why you’ve not selected any risks that have been omitted.
Another mandatory report is the RTP (risk treatment plan), which provides a summary of each of the identified risks, the responses that have been designed for each risk, the parties responsible for those risks and the target date for applying the risk treatment.
Risk management made easy
Find out how you can simplify risk management with our all-in-one risk management platform vsRisk.
It delivers simple, fast and accurate risk assessments, and helps you produce supporting documentation, such as the risk treatment plan and Statement of Applicability.
With vsRisk, you don’t need to spend time developing a risk assessment methodology or on costly trial and error: you can immediately get to work on the assessment.
Save time maintaining your risk assessment with vsRisk. Its robust methodology means that risk reviews and further risk assessments can be performed quickly, consistently and cost-effectively.
A version of this blog was originally published on 22 January 2020.