There is no room for half measures when conducting an ISO27001-compliant risk assessment

The international information security management standard, ISO 27001, lays out the requirements for developing, implementing and maintaining an information security management system, or ISMS.

A rapidly growing number of companies globally are now seeking certification to ISO 27001. In fact, ISO 27001 certification is one of the four fastest growing certifications in the world. This is largely because the Standard provides a practical solution to counter the increasingly sophisticated and varied range of threats facing information security today.

As ISO 27001 becomes further entrenched in the supply chain, clients continue to seek greater assurance from their suppliers, who will look to continuously improve the quality of their ISMS, as well as the accuracy of their risk assessments.

The risk assessment sits at the core of ISO 27001, and supports the continual improvement of the ISMS, a key requirement for ISO 27001 certification.

Those attempting to conduct a risk assessment for the first time can find it quite a complex task.  One of the tricky elements is to identify the full extent of risks (or threats and vulnerabilities) that the ISMS is exposed to, while also pre-empting any potential future risks, such as an organisational decision to move its data to the Cloud in the near future.

Subsequent to risk identification, the development and implementation of suitable responses to either treat, tolerate, terminate or transfer those risks, using a range of controls, is another task that involves some complexity.  Although ISO 27001 no longer mandates which controls to select for the risk assessment, it does provide a set of recommended controls in Annex A that serves as a checklist (once the organisation’s legal, regulatory and contractual commitments have been applied) to ensure that no control has been overlooked.

Companies that hope to stay one step ahead of their competitors without achieving accredited certification to ISO 27001 may want to reconsider their stance.

Information security experts Steve Watkins and Alan Calder provide the following advice: “While there are many recognised – and valid – approaches to risk assessment, an organisation that wishes to achieve ISO 27001 certification must meet the requirements set out in the Standard itself. There is no room for half measures: either a risk assessment methodology is in line with the requirements of ISO 27001, in which case accredited certification is within reach, or it is not, in which case accredited certification is not going to happen.” (Extract from the book Information Security Risk Management for ISO27001/ISO27002, currently being rewritten to align with ISO 27001:2013.)

vsRisk provides the complete solution for automating the information security risk assessment, in line with ISO 27001.

Leave a Reply

Your email address will not be published. Required fields are marked *