Table of contents
ISO 27001 Information Security Risk Assessment
In this article I lay bare ISO 27001 Clause 6.1.2 Information Security Risk Assessment.
Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, show you examples and do a walkthrough.
In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update.
What is ISO 27001 Clause 6.1.2?
The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.
This clause is all about risk assessment. The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process.
That risk assessment process has to set out risk criteria which are the parameters of your risk management.
Definition
ISO 27001 defines ISO 27001 Clause 6.1.2 as:
The organization shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
the risk acceptance criteria; and
criteria for performing information security risk assessmentsb) ensures that repeated information security risk assessments produce consistent, valid and
comparable resultsc) identifies the information security risks:
apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
identify the risk ownersd) analyses the information security risks:
assess the potential consequences that would result if the risks identified were to materialise;
assess the realistic likelihood of the occurrence of the risks identified; and
determine the levels of riske) evaluates the information security risks:
compare the results of risk analysis with the risk criteria established ; and
prioritise the analysed risks for risk treatment.The organisation shall retain documented information about the information security risk assessment process.
What are the ISO 27001:2022 Changes to Clause 6.1.2?
There are no changes to ISO 27001 Clause 6.1.2 in the 2022 update.
 
Implementation Guide
Risk acceptance criteria
You will set out what your risk acceptance criteria is. This is straightforward, and is a definition under what circumstances you will accept risks. This can also be very straightforward, and the easiest way is to implement risk scoring and set a particular score at which you will accept risk. Of course, you will also have the ability to override this structured approach to risk acceptance. Usually this is done by allowing the Management Review Team or the Senior Management Team to accept risks.
Criteria for performing information security risk assessments
The circumstances in which you perform a risk assessment will be defined and documented. You will perform a complete risk assessment at least annually or when significant change occurs. In addition, risk assessments will form part of your supplier onboarding process, your change management processes and potentially other areas of your business.
Consistent Risk Assessment
Under the standard you are to ‘ensure that repeated information security risk assessments produce consistent, valid and comparable results;’. This is straightforward to do by writing and documenting your risk management process, implementing a risk register and having consistent and effective risk scoring. By ensuring the process is in place and can be easily followed, with strict definitions and scoring the process will produce consistent results.
Risk Identification
Risk identification can often be confusing if you are not used to it. There is a usual approach to over complicate matters. This leads to a complicated risk framework with a risk register overpopulated with risks which can easily become unwieldy and unmanageable.
We must bear in mind that risk identification only applies to the in-scope products and services. The thing that we are going for ISO 27001 certification for. There is a benefit to widen the risk management coverage, but the standard only applies to what is in scope.
In addition, we are only concerned for ISO 27001 certification with risks associated with the loss of confidentiality, integrity and availability for information.
Identify Risk Owners
Risk owners must be identified. It is expected that risks are assigned to individuals and not to teams. This ensures accountability and true ownership. It is acceptable to assign risk ownership to roles rather than named individuals but assigning them to teams should be avoided.
Analyse the information security risks
Once identified and assigned to owners’ risks will be analysed.
- assess the potential consequences that would result if the risks identified in 6.1.2c) were to materialise
- assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c)
- determine the levels of risk
Evaluate the information security risks
Once we have the risks, we are going to analyse the information security risks to compare the results of risk analysis with the risk criteria established and prioritise the analysed risks for risk treatment.
Implementation Checklist
Information Security Risk Assessment ISO 27001 Clause 6.1.2 Implementation Checklist
1. Establish the Scope of the Risk Assessment
Define the boundaries of the assessment, including assets, processes, and locations.
Challenge: Difficulty in defining clear and comprehensive boundaries. Overlooking critical assets or processes.
Solution: Involve key interested parties from all relevant areas. Use asset inventories and process maps to identify everything within scope. Regularly review and update the scope as needed.
2. Identify Information Assets
Catalog all information assets within the scope, including data, software, hardware, and physical resources.
Challenge: Difficulty in identifying all information assets, especially intangible ones. Lack of up-to-date asset inventory.
Solution: Conduct a thorough asset inventory. Categorise assets by sensitivity and importance. Use automated asset discovery tools. Establish a process for maintaining the asset inventory.
3. Identify Threats
Determine potential threats that could exploit vulnerabilities and harm information assets.
Challenge: Difficulty in identifying all potential threats, especially new and emerging ones. Lack of threat intelligence.
Solution: Conduct threat modelling exercises. Subscribe to threat intelligence feeds. Involve security experts. Regularly review threat landscape.
4. Identify Vulnerabilities
Identify weaknesses in the ISMS that could be exploited by threats.
Challenge: Difficulty in identifying all vulnerabilities, especially in complex systems. Lack of vulnerability scanning and penetration testing.
Solution: Conduct regular vulnerability scans and penetration tests. Perform security audits and code reviews. Implement a vulnerability management program.
5. Analyse the Likelihood of Threats
Estimate the probability of each threat occurring.
Challenge: Subjectivity in estimating likelihood. Lack of historical data.
Solution: Use a consistent likelihood scale. Gather historical data and expert opinions. Document the rationale behind likelihood estimations.
6. Analyse the Impact of Threats
Estimate the potential harm that could result from a successful threat exploit.
Challenge: Difficulty in quantifying the impact of different types of harm (e.g., financial loss, reputational damage).
Solution: Develop a consistent impact scale. Consider different types of impact (financial, operational, legal, reputational). Document the rationale behind impact estimations.
7. Evaluate Risks
Combine the likelihood and impact of threats to determine the level of risk for each identified vulnerability.
Challenge: Difficulty in prioritising risks with different likelihood and impact combinations.
Solution: Use a risk matrix or other risk assessment tool. Establish clear criteria for risk acceptance.
8. Document the Risk Assessment Results
Record the identified risks, their analysis, and assigned risk levels in a risk register or equivalent document.
Challenge: Difficulty in maintaining and updating the risk register. Lack of integration with other ISMS processes.
Solution: Use a centralised risk management system. Regularly review and update the risk register. Integrate the risk register with other ISMS processes.
9. Communicate the Risk Assessment Results
Communicate the risk assessment results to relevant interested parties.
Challenge: Difficulty in communicating complex technical information to non-technical audiences. Lack of interested parties engagement.
Solution: Tailor communication to the audience. Use visual aids and plain language. Actively solicit feedback from interested parties.
10. Review and Update the Risk Assessment
Regularly review and update the risk assessment to reflect changes in the threat landscape, vulnerabilities, and business environment.
Challenge: Difficulty in keeping the risk assessment up-to-date. Lack of resources for regular reviews.
Solution: Establish a schedule for regular risk assessment reviews. Assign responsibility for maintaining the risk assessment. Integrate risk assessment with other ISMS processes, such as change management and incident management.
Audit Checklist
How to audit ISO 27001 Clause 6.1.2 Information Security Risk Assessment
1. Review the Risk Assessment Methodology
Verify the existence and appropriateness of a documented methodology for identifying, analysing, and evaluating risks.
Audit Techniques: Document review (policies, procedures), interviews with risk management personnel, comparison against ISO 31000 principles, observation of a risk assessment in progress.
2. Examine the Scope Definition
Ensure the risk assessment scope is clearly defined and comprehensive, covering all relevant assets, processes, and locations.
Audit Techniques: Document review (scope definition document), interviews with interested parties across different departments, review of asset inventory and process maps, site visits to verify physical locations are included.
3. Evaluate the Asset Identification Process
Verify the process for identifying and cataloging information assets, including data, software, hardware, and physical resources.
Audit Techniques: Document review (asset register, data flow diagrams), interviews with asset owners, review of automated asset discovery tools output, sampling of assets to verify their inclusion in the inventory.
4. Assess Threat Identification
Verify the process for identifying potential threats, including both internal and external threats, and emerging threats.
Audit Techniques: Interviews with security experts and threat intelligence analysts, review of threat intelligence feeds and reports, analysis of incident history, review of threat modelling exercises.
5. Evaluate Vulnerability Identification
Verify the process for identifying weaknesses in the ISMS that could be exploited by threats.
Audit Techniques: Review of vulnerability scanning and penetration testing reports, analysis of security audit findings, review of code review results, interviews with technical staff.
6. Assess Likelihood Analysis
Verify the process for estimating the likelihood of threats occurring, including the criteria and data used for estimations.
Audit Techniques: Review of risk assessment documentation, interviews with risk assessors, analysis of historical data and industry trends, review of likelihood scales and their justification.
7. Evaluate Impact Analysis
Verify the process for estimating the potential impact of successful threat exploits, including the criteria and data used for estimations.
Audit Techniques: Review of risk assessment documentation, interviews with business impact analysis (BIA) team, analysis of potential financial, operational, legal, and reputational impacts, review of impact scales and their justification.
8. Examine Risk Evaluation and Prioritisation
Verify the process for combining likelihood and impact to determine risk levels and prioritise risks.
Audit Techniques: Review of risk matrix or other risk assessment tool, analysis of risk levels assigned to different risks, interviews with risk management personnel, review of risk acceptance criteria.
9. Review Risk Assessment Documentation
Inspect the risk register or equivalent documentation for completeness, accuracy, and consistency.
Audit Techniques: Document review (risk register, risk assessment reports), data analysis (trends in risk levels), sampling of risk entries for detailed review, interviews with risk owners.
10. Assess the Review and Update Process
Verify the process for regularly reviewing and updating the risk assessment to reflect changes in the threat landscape, vulnerabilities, and business environment.
Audit Techniques: Review of risk assessment update schedule, interviews with risk management personnel, review of change management records, analysis of how new threats and vulnerabilities are incorporated into the risk assessment.
ISO 27001 Templates
These individual templates help meet the specific requirements of ISO 27001 clause 6.1.2.


 
 

 
