ISO 27001 Clause 8.2 Information Security Risk Assessment

Home / ISO 27001 Clauses / ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Information Security Risk Assessment

The ISO 27001 standard requires an organisation to perform risk assessments and to keep evidence of the results.

What is ISO 27001 Clause 8.2?

ISO 27001 clause 8.2 focuses on executing the Information Security Risk Assessment. While clause 6.1.2 covers the planning stages, 8.2 is about putting that plan into action. The standard requires organizations to define, implement, and actively carry out a risk assessment process. Crucially, this process must generate and maintain documented evidence of the assessment, typically through a risk register.

Definition

ISO 27001 defines ISO 27001 Clause 8.2 as:

The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
The organisation shall retain documented information of the results of the information security risk assessments.

ISO 27001:2022 Clause 8.2 Information Security Risk Assessment

What are the ISO 27001:2022 Changes to Information Security Risk Assessment?

Great news. There are no changes to ISO 27001 Clause 8.2 Information Security Risk Assessment in the 2022 update.

ISO 27001 Toolkit

Implementation Checklist

Establish Risk Assessment Methodology

Define a clear and documented risk assessment methodology, including criteria for likelihood, impact, and risk acceptance. This should align with the organisation’s context and objectives.

Challenge:

Difficulty in selecting a suitable methodology that fits the organisation’s size, complexity, and risk appetite. Methodologies can be complex and require specialist knowledge.

Solution:

Research different methodologies (e.g., qualitative, quantitative, hybrid) and choose one that is appropriate. Consider using ISO 27001 templates and seeking expert advice if needed. Start with a simpler approach and iterate.

Identify Information Assets

Catalogue all information assets within the scope of the ISMS, including data, systems, processes, and physical assets.

Challenge:

Overlooking critical assets, especially intangible ones like reputation or intellectual property. Maintaining an up-to-date asset inventory can be difficult in dynamic environments.

Solution:

Use a structured approach to asset identification, involving representatives from different departments. Implement a process for regularly reviewing and updating the asset inventory. Utilise automated discovery tools where possible.

Identify Threats

Identify potential threats that could exploit vulnerabilities and compromise information assets. Consider internal and external threats, including natural disasters, cyberattacks, and human error.

Challenge:

Keeping up with evolving threat landscape, especially cyber threats. Bias towards focusing on common threats and overlooking less frequent but potentially devastating ones.

Solution:

Regularly consult threat intelligence sources, participate in industry forums, and conduct penetration testing and vulnerability assessments to stay informed. Use threat modelling techniques to explore potential attack scenarios.

Identify Vulnerabilities

Identify weaknesses in the information system that could be exploited by threats. This includes technical, organisational, and human vulnerabilities.

Challenge:

Difficulty in identifying all vulnerabilities, especially those related to complex systems or human behaviour. Vulnerability scanning tools can generate a large number of false positives.

Solution:

Conduct regular vulnerability scans and penetration testing. Implement a process for reporting and tracking vulnerabilities. Provide security awareness training to address human vulnerabilities. Prioritise vulnerabilities based on risk.

Analyse Risks

Analyse the identified threats and vulnerabilities to determine the likelihood and impact of potential incidents. This will help prioritise risks for treatment.

Challenge:

Subjectivity in estimating likelihood and impact. Difficulty in quantifying risks, especially for non-financial impacts.

Solution:

Use a consistent scoring system for likelihood and impact. Involve subject matter experts in the risk analysis process. Document the rationale behind risk assessments to ensure transparency and consistency.

Evaluate Risks

Evaluate the analysed risks against the organisation’s risk acceptance criteria to determine which risks require treatment.

Challenge:

Defining appropriate risk acceptance criteria. Pressure to accept risks that are actually too high.

Solution:

Define risk acceptance criteria based on business objectives, legal and regulatory requirements, and interested parties expectations. Ensure that risk acceptance decisions are documented and approved by management.

Document the Risk Assessment Results

Document the entire risk assessment process, including the identified assets, threats, vulnerabilities, risks, and their evaluations.

Challenge:

Maintaining accurate and up-to-date documentation. Risk assessment reports can become lengthy and difficult to manage.

Solution:

Use an ISO 27001 risk register or a dedicated risk management tool to record and manage risk assessment information. Regularly review and update the ISO 27001 risk register.

Communicate the Risk Assessment Results

Communicate the results of the risk assessment to relevant interested parties, including management, asset owners, and security personnel.

Challenge:

Communicating complex technical information to non-technical audiences. Ensuring that interested parties understand their roles and responsibilities in managing risks.

Solution:

Tailor communication to the audience. Use clear and concise language, avoiding technical jargon. Provide training and awareness sessions to explain risk assessment results and their implications.

Use the Risk Assessment Results to Inform Risk Treatment

Use the risk assessment results to develop and implement appropriate risk treatment plans. This may involve reducing, transferring, accepting, or avoiding risks.

Challenge:

Developing cost-effective and effective risk treatment plans. Balancing security requirements with business needs.

Solution:

Prioritise risk treatment based on the risk assessment results. Consider different risk treatment options and select the most appropriate one. Develop a risk treatment plan that includes timelines, responsibilities, and resources.

Regularly Review and Update the Risk Assessment

Risk assessments should be reviewed and updated regularly, especially when there are significant changes to the organisation’s information systems, threats, or vulnerabilities.

Challenge:

Maintaining momentum and resources for ongoing risk assessment. Risk assessments can become outdated quickly in dynamic environments.

Solution:

Establish a schedule for regular risk assessment reviews. Integrate risk assessment into other security management processes, such as change management and incident response. Use automation where possible to streamline the risk assessment process.

Audit Checklist

The following is a summary of the ISO 27001 Clause 8.2 Audit Checklist:

Review of the Risk Assessment Methodology

Verify that the organization has a documented and approved risk assessment methodology.

Audit Techniques: Examine the documented methodology. Interview personnel responsible for risk assessment to understand their understanding and application of the methodology. Compare the documented methodology against best practices and relevant standards.

Verification of Asset Identification

Confirm that all relevant information assets within the scope of the ISMS have been identified and documented.

Audit Techniques: Review the asset register. Conduct walkthroughs of different departments to identify information assets not listed. Examine data flow diagrams and system documentation. Compare the asset register against other sources like configuration management databases.

Examination of Threat Identification

Assess the comprehensiveness of the threat identification process, ensuring both internal and external threats have been considered.

Audit Techniques: Review threat intelligence reports. Examine meeting minutes or documentation from threat modelling exercises. Interview security personnel about their understanding of current and emerging threats. Check for evidence of considering various threat actors (e.g., malicious insiders, cybercriminals, natural events).

Assessment of Vulnerability Identification

Verify that vulnerabilities have been identified through appropriate methods, such as vulnerability scanning, penetration testing, and security assessments.

Audit Techniques: Review vulnerability scan reports and penetration testing results. Examine security assessment reports. Interview technical staff about vulnerability management processes. Check for evidence of regular vulnerability scanning and timely patching.

Evaluation of Risk Analysis Process

Evaluate the risk analysis process to ensure it is systematic, consistent, and considers both likelihood and impact.

Audit Techniques: Review risk assessment reports. Examine the criteria used for determining likelihood and impact. Interview risk assessors to understand how they apply the criteria. Recalculate a sample of risks to verify the consistency of the process.

Review of Risk Evaluation and Acceptance

Verify that risks are evaluated against defined risk acceptance criteria and that risk acceptance decisions are documented and approved by management.

Audit Techniques: Review risk treatment plans and risk acceptance documentation. Examine meeting minutes where risk acceptance decisions were made. Interview management about their understanding of the organisation’s risk appetite.

Scrutiny of Risk Assessment Documentation

Verify that the risk assessment process and its results are adequately documented in an ISO 27001 risk register or similar document.

Audit Techniques: Examine the ISO 27001 risk register. Check for completeness, accuracy, and timeliness of the information. Verify that the risk register is regularly updated and reviewed.

Assessment of Communication of Risk Assessment Results

Confirm that the results of the risk assessment are communicated to relevant interested parties.

Audit Techniques: Review communication records, such as emails, reports, and presentations. Interview interested parties about their understanding of the risks and their roles in managing them.

Verify that the risk assessment results are used to inform the development and implementation of risk treatment plans.

Audit Techniques: Review risk treatment plans and their link to the identified risks. Examine evidence of implementation of risk treatments. Interview security personnel about how risk assessment results are used to prioritise security activities.

Verification of Regular Review and Update

Confirm that the risk assessment is reviewed and updated regularly, especially when there are significant changes to the organisation’s information systems, threats, or vulnerabilities.

Audit Techniques: Examine the revision history of the risk assessment documentation. Interview security personnel about the frequency of risk assessment reviews. Check for evidence of risk assessment updates following significant changes. Verify the process for triggering a risk assessment review.

How to conduct an ISO 27001 Risk Assessment

For details on how to conduct an ISO 27001 risk assessment read The Complete Guide to ISO 27001 Risk Assessment that talks you through it step by step.

Watch the Tutorial

ISO 27001 Templates

ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 8.2.

ISO 27001 Clause 8.2 FAQ

What is ISO 27001 Clause 8.2 Information Security Risk Assessment ?

The ISO 27001 standard requires an organisation to perform risk assessment at planned intervals or when things change and keep evidence of the risk assessment.

How often should you perform a risk assessment?

As a bench mark you would perform a full risk assessment at least annually.
In addition, you do a risk assessment every time there is a significant change.
Risks are actually regularly assessed at the management review team meeting as part of the structured management review team agenda.
It is best practice that these meeting should occur every month or at least once every 3 months.

What is an example of a planned interval for ISO 27001 Clause 8.2?

Planned intervals means that you have a plan to conduct a risk assessment at a certain time. An example of a planned interval would be to conduct a risk assessment at least annually.

Where can I download ISO 27001 Clause 8.2 Information Security Risk Assessment templates?

You can download ISO 27001 Clause 8.2 Information Security Risk Assessment templates in the ISO 27001 Toolkit.

ISO 27001 Clause 8.2 Information Security Risk Assessment example?

An example of ISO 27001 Clause 8.2 Information Security Risk Assessment can be found in the ISO 27001 Toolkit.

Is there an ISO 27001 Clause 8.2 Information Security Risk Assessment risk register?

Yes. A complete guide to the ISO 27001 Clause 8.2 Information Security Risk Assessment risk register can be found here.

Is there a guide to the risk management policy used in ISO 27001 Clause 8.2?

A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 8.2 is located here.

How do you keep evidence of a risk assessment?

There are several ways to keep and how evidence of a risk assessment:
1. Hold an annual risk review meeting and minute the results
2. Maintain and use a risk register
3. Follow the structure agenda of the management review team meeting which covers risk assessment
4. Include risk assessment as part of your operational processes

How often do you conduct a risk assessment?

At least annually and as significant changes occur.

How do you conduct an ISO 27001 risk assessment?

Read the complete guide to ISO 27001 risk assessment here.

Further Reading

ISO 27001 Clause 8.2 Audit Checklist

For more on planning for risk assessment be sure to read: ISO 27001 Clause 6.1.2 Information security risk assessment Guide

For more on planning for risk treatment be sure to read: ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools

Share to...