If you’re undertaking an ISMS (information security management system) implementation project in line with the information security management standard ISO 27001, you’ll know that you need to carry out a risk assessment to determine which security controls to implement.
Section 6.1.2 sets out what you need to do. The information security risk assessment process must:
- establish and maintain certain information security risk criteria
- ensure that repeated risk assessments “produce consistent, valid and comparable results”
- “identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system” and identify the owners of those risks
- analyse and evaluate information security risks, according to certain criteria.
Most importantly, the organisation must “retain documented information about the information security risk assessment process” so that it can demonstrate that it complies with these requirements.
It will also need to follow a number of steps – and create relevant documentation – as part of its information security risk treatment process.
(Remember that ISO 27001 is a specification, not a code of practice, so these steps must be followed for a chance of passing a certification audit.)
How can the risk assessment process be simplified?
The best way of simplifying the process is to use a tool to do most of the hard work for you. Vigilant Software’s risk assessment tool, vsRisk™, helps risk assessors deliver repeatable, consistent assessments year after year.
Its pre-populated asset library assigns organisational roles to each asset group, and applies relevant potential threats and risks by default. Moreover, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.
- A sample risk assessment
- Seven control sets:
- ISO/IEC 27001 (both 2005 and 2013)
- PCI DSS v3
- NIST SP 800-53
- Cloud Controls Matrix
- ISO/IEC 27032
- Cyber Essentials
- A database of threats, vulnerabilities and risks
- Six exportable and audit-ready reports:
- Statement of Applicability
- Risk treatment Plan
- Comments report
- Risk summary report
- Risk assessment report
- Control usage report
With vsRisk you can:
- View the ISO 27001 controls that require documentation
- Upload documents to link and track controls
- Customise risk acceptance criteria and risk calculation formula
- Map controls between different standards and frameworks
- Add additional assets, risks and controls
- Create customised views: risks, owners, assets and groups
- Choose from four risk responses: treat, tolerate, transfer or terminate