ISO/IEC 27001 is an international set of standards that provide the requirements to set up an Information Security Management System (ISMS). Implementing ISO 27001 enables organizations to better manage and secure their information assets, including intellectual property, financials, employee details, customer data, and information entrusted by third parties.
Furthermore, companies can prove that they are less vulnerable to IT security incidents or data breaches by achieving ISO compliance. This designation can boost their reputation for trustworthiness and lower the probability of financial damages that may result from a cybersecurity incident.
An ISO 27001 risk assessment procedure sets a strong foundation for implementing an ISMS and achieving information security across the enterprise. A robust risk assessment process can help you evaluate your information security risks, prioritize them by the probability of occurrence and potential impact, and find the most appropriate ways to minimize or mitigate them.
This article outlines the main steps of the ISO 27001 risk assessment procedure to help you set up your ISMS and achieve ISO 27001 compliance with minimal friction or hassle.
ISO 27001 Risk Assessment Procedure: 7 Key Steps
Define the Methodology
There is no standardized risk assessment methodology for ISO 27001, so you need to define your own methods.
To start, review your organization’s unique profile by understanding:
- The primary information security objectives you aim to achieve with ISO 27001
- Your business, legal, and compliance obligations
- The overall business goals and objectives
- Stakeholders’ expectations and needs
Determine if you will use a quantitative or qualitative approach to assess risk. A qualitative assessment is subjective. It focuses on identifying risks, measuring their likelihood of occurrence, and potential impact. A quantitative approach uses verifiable data to analyze the effects of identified risks. Use the method most relevant to your information security goals.
Also, identify the rules and risk scales for assessment, risk criteria, risk measurement method, acceptable levels of risk, risk acceptance criteria, etc. All this information should guide your risk assessment methodology.
Create an Asset Inventory
You can perform a risk assessment for ISO 27001 in one of two ways:
- Asset-based: Focuses on assets, i.e., the risk to information
- Scenario-based: Focuses on the circumstances that may result in a data breach
In a scenario-based risk assessment, users are more prone to identify risk situations, which often speeds up the risk identification process. However, the drawback is that users often miss some elements that may create risk. As a result, the risk identification is incomplete and results in a false – and dangerous – sense of safety.
With the asset-based approach, it usually takes longer to identify relevant risks. However, it yields a more complete view of risk posture, so you might want to consider this method.
Start by compiling your asset inventory. This should include all your:
- Information databases
- Removable devices
- Mobile devices
- Intellectual property
To compile the list, check with all asset owners, i.e., the individuals or entities responsible for controlling the use, maintenance, and security of assets.
Identify Potential Vulnerabilities and Threats
Once you have the asset register, start analyzing the risk to each asset. Identify potential vulnerabilities, such as a weakness that a threat may exploit. For example, a glitch or security vulnerability in a software or operating system can make your organization vulnerable to hackers who could infiltrate and compromise your assets or steal your data.
Determine Risk Impact
After identifying vulnerabilities and threats, analyze the risks associated with them. Not all risks are equally serious, so you might not want to implement measures or controls to mitigate, eliminate, or prevent each risk.
That’s why it’s crucial to score risks based on the likelihood or probability of occurrence and the damage they can potentially cause. Create a risk assessment matrix based on these factors to compare risks against your risk appetite and identify and prioritize risks requiring action.
Examine how the confidentiality, integrity, and availability of data (the “CIA triad’) could be affected by each risk. Also, consider different implications of each risk, including business, legal, contractual, and regulatory implications. To get going, ask:
- What might be the cost of replacing a compromised asset?
- What is the potential for financial loss (lost income, fines, etc.)?
- Could a security incident damage our reputation?
Create a Risk Treatment/Risk Management Plan
Now determine how you will treat each identified risk. There are several options to choose from:
Avoid the risk: Take action against the circumstances that are causing it
- E.g., Patch all software to eliminate exploitable vulnerabilities
Modify the risk: Apply security controls to reduce the probability of occurrence and reduce the potential for damage
- E.g., Implement a firewall or endpoint detection and response solution
Transfer the risk: Share the risk with a third party
- E.g., Buy cybersecurity insurance
Retain the risk: Accept the risk if it falls within established risk acceptance criteria or if the cost of mitigating it would be higher than the potential for damage
According to ISO 27001, you must identify risk owners for all risks. This entity is responsible for approving any risk mitigation plans and for accepting the level of residual risk.
As part of the mitigation plan, implement controls as outlined in Annex A of ISO 27001. For example, Annex A.12.2 requires defenses to mitigate the risk of malware infection. Similarly, A.13.1 concerns the maintenance of the CIA of information in networks.
Compile Risk Assessment Reports
For audit and certification, you must prepare reports about your findings and implement a plan of action.
Prepare the following reports:
Statement of Applicability
- The SoA documents the various ISO 27001 controls that you will implement to tackle identified risks
- Each control should have its own entry
- Explain why any controls have been omitted
Risk Treatment Plan
- The RTP provides a summary of each identified risk, proposed actions to deal with each risk, and the parties responsible
Statement of Applicability
- List all the controls you have implemented and why
- It will be used by the certification auditor as a guideline
Implement Risk Mitigation, Monitoring, and Control
The risk treatment plan should also include mitigation strategies, responsibilities, budget, timeframe, etc.
ISO 27001 mandates that you regularly review and update the ISMS implemented after the risk assessment. Look for ways to improve it to ensure that it is working as intended.
Should I Conduct an ISO 27001 Risk Assessment?
The ISO 27001 risk assessment provides a systematic way to evaluate your organization’s risks, understand how they may impact your information security, and implement an action plan to mitigate their impact.
ISO 27001 focuses on both risk assessment and treatment, so you can not only find out which incidents could harm your information security but also determine the most appropriate ways to avoid or deal with them.
Moreover, you can also assess the priority of each risk, so instead of wasting time, effort, or money on treating all risks, you can focus your efforts on the ones that are most serious. For all these reasons, an ISO 27001 risk assessment can be beneficial for your organization.
Regardless of if you adopt ISO 27001 within your organization, risk assessments are not merely an audit exercise. A dynamic risk assessment is a real-time process where risks are addressed as they are identified. These risks are also documented for proper tracking and control. Monitoring risk is everyone’s responsibility on a daily basis.
ZenGRC Helps Businesses with Risk Assessments
If you need help with ISO 27001 risk assessments, Reciprocity and ZenGRC can help. With advanced visibility into control environments, easy audit environments, and easy access to information for program evaluation, ZenGRC is a fast, prescriptive solution for information security risk assessments and compliance.
Quickly assess and determine the acceptability of risk controls, get real-time control status, and compile evidence for auditors. With ZenGRC, you can streamline your InfoSec risk and compliance program with ease.