ISO 27001 is the most popular information security standard worldwide, and organisations that have achieved compliance with the Standard can use it to prove that they are serious about the information they handle and use.
ISO 27001 is the globally accepted standard that offers clients the assurance that the organisation is managing the confidentiality, integrity and availability of information.
One of the cornerstones of implementing an ISO 27001-compliant ISMS (information security management system) is conducting an effective information security risk assessment.
In order to mitigate the risks to your organisation’s information assets, the assessor will usually need to take the following broad steps:
- Identify the various information assets that could be jeopardised.
- Consider the threats that could compromise those assets.
- Assess the vulnerabilities in the organisation that could compound those threats.
- Establish the likelihood and impact of such risks coming to pass.
- Estimate the damage that such threats could bring about.
Once this part of the risk assessment has been completed, the next critical element is to identify and select the relevant controls from Annex A of ISO 27001:2013 (or elsewhere), to ensure that each of the risks has been treated effectively.
The organisation may choose to treat, tolerate, transfer or terminate the risk, based on the company’s risk appetite and the total estimation of the risk.
There are, of course, a number of other things that need to be considered throughout the process, such as what the organisation’s risk appetite is, what kind of risk assessment criteria to use, in addition to what risk calculation formula and additional sets of controls to apply.
The easiest way to get this done is by using a pre-populated risk assessment template.
With a template, there is no need to compile extensive lists of assets, no need to try and find a library of threats and vulnerabilities (or risks), no need to wonder which threats could affect which assets, and no need to try and think which controls would apply to which risks. With vsRisk™, all of this has already been done for you.
With vsRisk, you can copy, edit and replicate a built-in risk assessment template, populated with the following:
- A library of assets, pre-assigned to organisational roles that typically manage those assets;
- Pre-selected threats and vulnerabilities (risks), applied to each asset group;
- The relevant ISO 27001:2013 controls pre-applied to each risk.
In addition, vsRisk features a host of other powerful features, including six customisable and editable reports, including the essential Statement of Applicability (SoA) and Risk Treatment Plan – two reports that are crucial for an ISO 27001 audit. You can also purchase a built-in ISO 27001 documentation toolkit, which allows you to upload the relevant documentation straight from vsRisk to demonstrate how each control has been implemented.
It can’t get any simpler, faster and more comprehensive than that.
Alternatively, schedule an appointment for a live walkthrough of vsRisk with one of our customer support team members.