ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Information Security Risk Assessment

The ISO 27001 standard requires an organisation to perform risk assessments and to keep evidence of the results.

What is ISO 27001 Clause 8.2?

ISO 27001 clause 8.2 focuses on executing the Information Security Risk Assessment. While clause 6.1.2 covers the planning stages, 8.2 is about putting that plan into action. The standard requires organizations to define, implement, and actively carry out a risk assessment process. Crucially, this process must generate and maintain documented evidence of the assessment, typically through a risk register.

ISO 27001 Clause 8.2 Definition

ISO 27001 defines ISO 27001 Clause 8.2 as:

The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
The organisation shall retain documented information of the results of the information security risk assessments.

ISO 27001:2022 Clause 8.2 Information Security Risk Assessment

DO IT YOURSELF ISO 27001

Finally! Implement ISO 27001 yourself without spending a penny on consultants or software.

The Ultimate ISO 27001 Toolkit

How to implement ISO 27001 Clause 8.2

For details on how to conduct an ISO 27001 risk assessment read The Complete Guide to ISO 27001 Risk Assessment that walks you through it step by step.

ISO 27001 Clause 8.2 Implementation Checklist

1. Establish Risk Assessment Methodology

Define a clear and documented risk assessment methodology, including criteria for likelihood, impact, and risk acceptance. This should align with the organisation’s context and objectives.

Challenge

Difficulty in selecting a suitable methodology that fits the organisation’s size, complexity, and risk appetite. Methodologies can be complex and require specialist knowledge.

Solution

Research different methodologies (e.g., qualitative, quantitative, hybrid) and choose one that is appropriate. Consider using ISO 27001 templates and seeking expert advice if needed. Start with a simpler approach and iterate.

2. Identify Information Assets

Catalogue all information assets within the scope of the ISMS, including data, systems, processes, and physical assets.

Challenge

Overlooking critical assets, especially intangible ones like reputation or intellectual property. Maintaining an up-to-date asset inventory can be difficult in dynamic environments.

Solution

Use a structured approach to asset identification, involving representatives from different departments. Implement a process for regularly reviewing and updating the asset inventory. Utilise automated discovery tools where possible.

3. Identify Threats

Identify potential threats that could exploit vulnerabilities and compromise information assets. Consider internal and external threats, including natural disasters, cyberattacks, and human error.

Challenge

Keeping up with evolving threat landscape, especially cyber threats. Bias towards focusing on common threats and overlooking less frequent but potentially devastating ones.

Solution

Regularly consult threat intelligence sources, participate in industry forums, and conduct penetration testing and vulnerability assessments to stay informed. Use threat modelling techniques to explore potential attack scenarios.

4. Identify Vulnerabilities

Identify weaknesses in the information system that could be exploited by threats. This includes technical, organisational, and human vulnerabilities.

Challenge

Difficulty in identifying all vulnerabilities, especially those related to complex systems or human behaviour. Vulnerability scanning tools can generate a large number of false positives.

Solution

Conduct regular vulnerability scans and penetration testing. Implement a process for reporting and tracking vulnerabilities. Provide security awareness training to address human vulnerabilities. Prioritise vulnerabilities based on risk.

5. Analyse Risks

Analyse the identified threats and vulnerabilities to determine the likelihood and impact of potential incidents. This will help prioritise risks for treatment.

Challenge

Subjectivity in estimating likelihood and impact. Difficulty in quantifying risks, especially for non-financial impacts.

Solution

Use a consistent scoring system for likelihood and impact. Involve subject matter experts in the risk analysis process. Document the rationale behind risk assessments to ensure transparency and consistency.

6. Evaluate Risks

Evaluate the analysed risks against the organisation’s risk acceptance criteria to determine which risks require treatment.

Challenge

Defining appropriate risk acceptance criteria. Pressure to accept risks that are actually too high.

Solution

Define risk acceptance criteria based on business objectives, legal and regulatory requirements, and interested parties expectations. Ensure that risk acceptance decisions are documented and approved by management.

7. Document the Risk Assessment Results

Document the entire risk assessment process, including the identified assets, threats, vulnerabilities, risks, and their evaluations.

Challenge

Maintaining accurate and up-to-date documentation. Risk assessment reports can become lengthy and difficult to manage.

Solution

Use an ISO 27001 risk register or a dedicated risk management tool to record and manage risk assessment information. Regularly review and update the ISO 27001 risk register.

8. Communicate the Risk Assessment Results

Communicate the results of the risk assessment to relevant interested parties, including management, asset owners, and security personnel.

Challenge

Communicating complex technical information to non-technical audiences. Ensuring that interested parties understand their roles and responsibilities in managing risks.

Solution

Tailor communication to the audience. Use clear and concise language, avoiding technical jargon. Provide training and awareness sessions to explain risk assessment results and their implications.

9. Use the Risk Assessment Results to Inform Risk Treatment

Use the risk assessment results to develop and implement appropriate risk treatment plans. This may involve reducing, transferring, accepting, or avoiding risks.

Challenge

Developing cost-effective and effective risk treatment plans. Balancing security requirements with business needs.

Solution

Prioritise risk treatment based on the risk assessment results. Consider different risk treatment options and select the most appropriate one. Develop a risk treatment plan that includes timelines, responsibilities, and resources.

10. Regularly Review and Update the Risk Assessment

Risk assessments should be reviewed and updated regularly, especially when there are significant changes to the organisation’s information systems, threats, or vulnerabilities.

Challenge

Maintaining momentum and resources for ongoing risk assessment. Risk assessments can become outdated quickly in dynamic environments.

Solution

Establish a schedule for regular risk assessment reviews. Integrate risk assessment into other security management processes, such as change management and incident response. Use automation where possible to streamline the risk assessment process.

ISO 27001 Clause 8.2 Audit Checklist

How to audit ISO 27001 Clause 8.2 Information Security Risk AssessmentHow to audit

1. Review Risk Identification

Verify that a systematic process is used to identify information security risks relevant to the organisation’s information assets.

• Review risk registers, asset inventories, threat intelligence reports, and legal/regulatory requirements.
• Interview staff across different departments to identify potential risks.

2. Review of the Risk Assessment Methodology

Confirm that identified risks are analysed to determine their potential impact and likelihood.

• Examine the documented methodology.
• Interview personnel responsible for risk assessment to understand their understanding and application of the methodology.
• Compare the documented methodology against best practices and relevant standards.

3. Verification of Asset Identification

Confirm that all relevant information assets within the scope of the ISMS have been identified and documented.

• Review the asset register.
• Conduct walkthroughs of different departments to identify information assets not listed.
• Examine data flow diagrams and system documentation.
• Compare the asset register against other sources like configuration management databases.

4. Examination of Threat Identification

Assess the comprehensiveness of the threat identification process, ensuring both internal and external threats have been considered.

• Review threat intelligence reports, legal/regulatory updates, and industry best practices.
• Examine meeting minutes or documentation from threat modelling exercises.
• Interview security personnel about their understanding of current and emerging threats.
• Check for evidence of considering various threat actors (e.g., malicious insiders, cybercriminals, natural events).

5. Assessment of Vulnerability Identification

Verify that vulnerabilities have been identified through appropriate methods, such as vulnerability scanning, penetration testing, and security assessments.

• Review vulnerability scan reports and penetration testing results.
• Examine security assessment reports.
• Interview technical staff about vulnerability management processes.
• Check for evidence of regular vulnerability scanning and timely patching.

6. Evaluation of Risk Analysis Process

Evaluate the risk analysis process to ensure it is systematic, consistent, and considers both likelihood and impact.

• Review risk assessment reports.
• Examine the criteria used for determining likelihood and impact. Interview risk assessors to understand how they apply the criteria.
• Recalculate a sample of risks to verify the consistency of the process.

7. Review of Risk Evaluation and Acceptance

Verify that risks are evaluated against defined risk acceptance criteria and that risk acceptance decisions are documented and approved by management.

• Review risk treatment plans and risk acceptance documentation.
• Examine meeting minutes where risk acceptance decisions were made.
• Interview management about their understanding of the organisation’s risk appetite.

8. Scrutiny of Risk Assessment Documentation

Verify that the risk assessment process and its results are adequately documented in an ISO 27001 risk register or similar document.

• Examine the ISO 27001 risk register.
• Check for completeness, accuracy, and timeliness of the information.
• Verify that the risk register is regularly updated and reviewed.

9. Assessment of Communication of Risk Assessment Results

Confirm that the results of the risk assessment are communicated to relevant interested parties.

Review communication records, such as emails, reports, and presentations.

Interview interested parties about their understanding of the risks and their roles in managing them.

10. Evaluation of Link to Risk Treatment

Verify that the risk assessment results are used to inform the development and implementation of risk treatment plans.

• Review risk treatment plans and their link to the identified risks.
• Examine evidence of implementation of risk treatments.
• Interview security personnel about how risk assessment results are used to prioritise security activities.

11. Verification of Regular Review and Update

Confirm that the risk assessment is reviewed and updated regularly, especially when there are significant changes to the organisation’s information systems, threats, or vulnerabilities.

• Examine the revision history of the risk assessment documentation.
• Interview security personnel about the frequency of risk assessment reviews.
• Check for evidence of risk assessment updates following significant changes.
• Verify the process for triggering a risk assessment review.

12. Ensure Risk Register Maintenance

Ensure the risk register is kept up to date, reflecting changes in the organisation’s risk environment.

• Examine the risk register for completeness.
• Review records of risk assessments and updates.
• Interview risk owners to understand how they monitor risks.

13. Check the Competence of Risk Assessors

Ensure that individuals involved in risk assessments have the necessary skills and expertise.

• Review training records and qualifications of risk assessors.
• Interview risk assessors to assess their understanding of risk assessment techniques.

ISO 27001 Risk Register Template

ISO 27001 Risk Management Policy Template

ISO 27001 Risk Management Procedure Template

Watch the Video

For a visual guide to the process watch the tutorial video – How to Implement ISO 27001 Clause 8

ISO 27001 Clause 8.2 FAQ

Further Reading

For more on planning for risk assessment be sure to read: ISO 27001 Clause 6.1.2 Information security risk assessment Guide

For more on planning for risk treatment be sure to read: ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide