ISO 27001 Information Security Risk Assessment
Table of contents
- ISO 27001 Information Security Risk Assessment
- Watch the Video
- What is ISO 27001 Clause 8.2?
- How to implement ISO 27001 Clause 8.2
- ISO 27001 Clause 8.2 Implementation Checklist
- ISO 27001 Clause 8.2 Audit Checklist
- ISO 27001 Risk Register Template
- ISO 27001 Risk Management Policy Template
- ISO 27001 Risk Management Procedure Template
- ISO 27001 Clause 8.2 FAQ
- Further Reading
Watch the Video
In the ISO 27001 tutorial How to Implement ISO 27001 Clause 8 I show you how to implement it and pass the audit.
What is ISO 27001 Clause 8.2?
ISO 27001 clause 8.2 focuses on executing the Information Security Risk Assessment. While clause 6.1.2 covers the planning stages, 8.2 is about putting that plan into action. The standard requires organizations to define, implement, and actively carry out a risk assessment process. Crucially, this process must generate and maintain documented evidence of the assessment, typically through a risk register.
ISO 27001 Clause 8.2 Definition
ISO 27001 defines ISO 27001 Clause 8.2 as:
The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
The organisation shall retain documented information of the results of the information security risk assessments.
How to implement ISO 27001 Clause 8.2
For details on how to conduct an ISO 27001 risk assessment read The Complete Guide to ISO 27001 Risk Assessment that walks you through it step by step.
ISO 27001 Clause 8.2 Implementation Checklist
1. Establish Risk Assessment Methodology
Define a clear and documented risk assessment methodology, including criteria for likelihood, impact, and risk acceptance. This should align with the organisation’s context and objectives.
Challenge
Difficulty in selecting a suitable methodology that fits the organisation’s size, complexity, and risk appetite. Methodologies can be complex and require specialist knowledge.
Solution
Research different methodologies (e.g., qualitative, quantitative, hybrid) and choose one that is appropriate. Consider using ISO 27001 templates and seeking expert advice if needed. Start with a simpler approach and iterate.
2. Identify Information Assets
Catalogue all information assets within the scope of the ISMS, including data, systems, processes, and physical assets.
Challenge
Overlooking critical assets, especially intangible ones like reputation or intellectual property. Maintaining an up-to-date asset inventory can be difficult in dynamic environments.
Solution
Use a structured approach to asset identification, involving representatives from different departments. Implement a process for regularly reviewing and updating the asset inventory. Utilise automated discovery tools where possible.
3. Identify Threats
Identify potential threats that could exploit vulnerabilities and compromise information assets. Consider internal and external threats, including natural disasters, cyberattacks, and human error.
Challenge
Keeping up with evolving threat landscape, especially cyber threats. Bias towards focusing on common threats and overlooking less frequent but potentially devastating ones.
Solution
Regularly consult threat intelligence sources, participate in industry forums, and conduct penetration testing and vulnerability assessments to stay informed. Use threat modelling techniques to explore potential attack scenarios.
4. Identify Vulnerabilities
Identify weaknesses in the information system that could be exploited by threats. This includes technical, organisational, and human vulnerabilities.
Challenge
Difficulty in identifying all vulnerabilities, especially those related to complex systems or human behaviour. Vulnerability scanning tools can generate a large number of false positives.
Solution
Conduct regular vulnerability scans and penetration testing. Implement a process for reporting and tracking vulnerabilities. Provide security awareness training to address human vulnerabilities. Prioritise vulnerabilities based on risk.
5. Analyse Risks
Analyse the identified threats and vulnerabilities to determine the likelihood and impact of potential incidents. This will help prioritise risks for treatment.
Challenge
Subjectivity in estimating likelihood and impact. Difficulty in quantifying risks, especially for non-financial impacts.
Solution
Use a consistent scoring system for likelihood and impact. Involve subject matter experts in the risk analysis process. Document the rationale behind risk assessments to ensure transparency and consistency.
6. Evaluate Risks
Evaluate the analysed risks against the organisation’s risk acceptance criteria to determine which risks require treatment.
Challenge
Defining appropriate risk acceptance criteria. Pressure to accept risks that are actually too high.
Solution
Define risk acceptance criteria based on business objectives, legal and regulatory requirements, and interested parties expectations. Ensure that risk acceptance decisions are documented and approved by management.
7. Document the Risk Assessment Results
Document the entire risk assessment process, including the identified assets, threats, vulnerabilities, risks, and their evaluations.
Challenge
Maintaining accurate and up-to-date documentation. Risk assessment reports can become lengthy and difficult to manage.
Solution
Use an ISO 27001 risk register or a dedicated risk management tool to record and manage risk assessment information. Regularly review and update the ISO 27001 risk register.
8. Communicate the Risk Assessment Results
Communicate the results of the risk assessment to relevant interested parties, including management, asset owners, and security personnel.
Challenge
Communicating complex technical information to non-technical audiences. Ensuring that interested parties understand their roles and responsibilities in managing risks.
Solution
Tailor communication to the audience. Use clear and concise language, avoiding technical jargon. Provide training and awareness sessions to explain risk assessment results and their implications.
9. Use the Risk Assessment Results to Inform Risk Treatment
Use the risk assessment results to develop and implement appropriate risk treatment plans. This may involve reducing, transferring, accepting, or avoiding risks.
Challenge
Developing cost-effective and effective risk treatment plans. Balancing security requirements with business needs.
Solution
Prioritise risk treatment based on the risk assessment results. Consider different risk treatment options and select the most appropriate one. Develop a risk treatment plan that includes timelines, responsibilities, and resources.
10. Regularly Review and Update the Risk Assessment
Risk assessments should be reviewed and updated regularly, especially when there are significant changes to the organisation’s information systems, threats, or vulnerabilities.
Challenge
Maintaining momentum and resources for ongoing risk assessment. Risk assessments can become outdated quickly in dynamic environments.
Solution
Establish a schedule for regular risk assessment reviews. Integrate risk assessment into other security management processes, such as change management and incident response. Use automation where possible to streamline the risk assessment process.
ISO 27001 Clause 8.2 Audit Checklist
How to audit ISO 27001 Clause 8.2 Information Security Risk AssessmentHow to audit
1. Review Risk Identification
Verify that a systematic process is used to identify information security risks relevant to the organisation’s information assets.
- Review risk registers, asset inventories, threat intelligence reports, and legal/regulatory requirements.
- Interview staff across different departments to identify potential risks.
2. Review of the Risk Assessment Methodology
Confirm that identified risks are analysed to determine their potential impact and likelihood.
- Examine the documented methodology.
- Interview personnel responsible for risk assessment to understand their understanding and application of the methodology.
- Compare the documented methodology against best practices and relevant standards.
3. Verification of Asset Identification
Confirm that all relevant information assets within the scope of the ISMS have been identified and documented.
- Review the asset register.
- Conduct walkthroughs of different departments to identify information assets not listed.
- Examine data flow diagrams and system documentation.
- Compare the asset register against other sources like configuration management databases.
4. Examination of Threat Identification
Assess the comprehensiveness of the threat identification process, ensuring both internal and external threats have been considered.
- Review threat intelligence reports, legal/regulatory updates, and industry best practices.
- Examine meeting minutes or documentation from threat modelling exercises.
- Interview security personnel about their understanding of current and emerging threats.
- Check for evidence of considering various threat actors (e.g., malicious insiders, cybercriminals, natural events).
5. Assessment of Vulnerability Identification
Verify that vulnerabilities have been identified through appropriate methods, such as vulnerability scanning, penetration testing, and security assessments.
- Review vulnerability scan reports and penetration testing results.
- Examine security assessment reports.
- Interview technical staff about vulnerability management processes.
- Check for evidence of regular vulnerability scanning and timely patching.
6. Evaluation of Risk Analysis Process
Evaluate the risk analysis process to ensure it is systematic, consistent, and considers both likelihood and impact.
- Review risk assessment reports.
- Examine the criteria used for determining likelihood and impact. Interview risk assessors to understand how they apply the criteria.
- Recalculate a sample of risks to verify the consistency of the process.
7. Review of Risk Evaluation and Acceptance
Verify that risks are evaluated against defined risk acceptance criteria and that risk acceptance decisions are documented and approved by management.
- Review risk treatment plans and risk acceptance documentation.
- Examine meeting minutes where risk acceptance decisions were made.
- Interview management about their understanding of the organisation’s risk appetite.
8. Scrutiny of Risk Assessment Documentation
Verify that the risk assessment process and its results are adequately documented in an ISO 27001 risk register or similar document.
- Examine the ISO 27001 risk register.
- Check for completeness, accuracy, and timeliness of the information.
- Verify that the risk register is regularly updated and reviewed.
9. Assessment of Communication of Risk Assessment Results
Confirm that the results of the risk assessment are communicated to relevant interested parties.
Review communication records, such as emails, reports, and presentations.
Interview interested parties about their understanding of the risks and their roles in managing them.
10. Evaluation of Link to Risk Treatment
Verify that the risk assessment results are used to inform the development and implementation of risk treatment plans.
- Review risk treatment plans and their link to the identified risks.
- Examine evidence of implementation of risk treatments.
- Interview security personnel about how risk assessment results are used to prioritise security activities.
11. Verification of Regular Review and Update
Confirm that the risk assessment is reviewed and updated regularly, especially when there are significant changes to the organisation’s information systems, threats, or vulnerabilities.
- Examine the revision history of the risk assessment documentation.
- Interview security personnel about the frequency of risk assessment reviews.
- Check for evidence of risk assessment updates following significant changes.
- Verify the process for triggering a risk assessment review.
12. Ensure Risk Register Maintenance
Ensure the risk register is kept up to date, reflecting changes in the organisation’s risk environment.
- Examine the risk register for completeness.
- Review records of risk assessments and updates.
- Interview risk owners to understand how they monitor risks.
13. Check the Competence of Risk Assessors
Ensure that individuals involved in risk assessments have the necessary skills and expertise.
- Review training records and qualifications of risk assessors.
- Interview risk assessors to assess their understanding of risk assessment techniques.
ISO 27001 Risk Register Template
ISO 27001 Risk Management Policy Template
ISO 27001 Risk Management Procedure Template
ISO 27001 Clause 8.2 FAQ
The ISO 27001 standard requires an organisation to perform risk assessment at planned intervals or when things change and keep evidence of the risk assessment.
As a bench mark you would perform a full risk assessment at least annually.
In addition, you do a risk assessment every time there is a significant change.
Risks are actually regularly assessed at the management review team meeting as part of the structured management review team agenda.
It is best practice that these meeting should occur every month or at least once every 3 months.
Planned intervals means that you have a plan to conduct a risk assessment at a certain time. An example of a planned interval would be to conduct a risk assessment at least annually.
You can download ISO 27001 Clause 8.2 Information Security Risk Assessment templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 8.2 Information Security Risk Assessment can be found in the ISO 27001 Toolkit.
Yes. A complete guide to the ISO 27001 Clause 8.2 Information Security Risk Assessment risk register can be found here.
A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 8.2 is located here.
There are several ways to keep and how evidence of a risk assessment:
1. Hold an annual risk review meeting and minute the results
2. Maintain and use a risk register
3. Follow the structure agenda of the management review team meeting which covers risk assessment
4. Include risk assessment as part of your operational processes
At least annually and as significant changes occur.
Read the complete guide to ISO 27001 risk assessment here.
Further Reading
For more on planning for risk assessment be sure to read: ISO 27001 Clause 6.1.2 Information security risk assessment Guide
For more on planning for risk treatment be sure to read: ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide
