ISO 27001 Information Security Risk Assessment

hello! I’m Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Clause 6.1.2 Information Security Risk Assessment. Come with me as we do a deep dive into how to satisfy this requirement to be successful at your ISO 27001 Certification.

ISO 27001 Information Security Risk Assessment is covered in ISO 27001 Clause 6.1.2 Information Security Risk Assessment. Here we take a look at how to implement it.

Watch

Definition

So we start the process by understanding the requirement and we do that by looking at the definition. We’re going to understand what the standard wants from us so that we can work out what we need to comply and satisfy this ISO 27001 Clause. This is quite a big clause so buckle up.

The standard defines ISO 27001 Information Security Risk Assessment as:

The organisation shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
1) the risk acceptance criteria; and
2) criteria for performing information security risk assessments;
b) ensures that repeated information security risk assessments produce consistent, valid and
comparable results;
c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with
the loss of confidentiality, integrity and availability for information within the scope of the
information security management system; and
2) identify the risk owners;
d) analyses the information security risks:
1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to
materialize;
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
3) determine the levels of risk;
e) evaluates the information security risks:
1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2) prioritise the analysed risks for risk treatment.
The organisation shall retain documented information about the information security risk assessment
process.

Implementation Guide

We’re going to take a look at a couple of artefacts that are nice and easy and quick and simple about how you can go about addressing this particular part of the ISO 27001 Clause.

So ISO 27001 Clause 6.1.2 the organisation shall define and apply an information security risk assessment process that – now this is broken down into five parts – it wants the risk assessment to establish and maintain a risk criteria, ensure that repeated information security assessments produce consistent results, identify the information security risks, analyse the information security risks and then evaluate those information security security risks.

Documented Process

So the way that we’re going to do that is first of all we’re going to have a documented process. So we’re going to have a documented risk process. The documented risk process that you can download as a Risk Management Process Template or that you get as part of the ultimate ISO 27001 Toolkit, or that you can create yourself but you need a documented process.

Within that documented process you’re going to implement risk identification, risk assessment, risk treatment. You’re going to have that documented process.

The reason you have a documented process is about documented maturity, so, it wants us to have a repeatable process that generates the same results irrespective of the person that does it and how they do it. Having it documented, we follow a structured approach.

Identify Information Security Risks

We’re going to identify our information security risks but we’re going to identify them for the in scope, that is the things in scope of the information security management system. It’s important to note that. I mean it is a slight nuance, a slight subtlety but we’re looking for risk assessment within the scope of the information security management system.

Identify and Assign Roles

We’re going to identify risk owners. There are a number of roles that happen when it comes to risk.

You’ve got:

risk owners – the owner of the risk that is accountable for the risk and the risk treatment

asset owners – the owner of the asset to which the risk applies

risk treatment owners – the owner of the risk treatment plan

Risk Analysis

When we have assigned our roles, we’re going to do some analysis.

We’re going to look at things like – what is the likelihood of a risk occurring? We’re going to score that risk likelihood. To do that we’re going to have a table and we’re going to put together a table with scoring within it and guidance within it.

We’re going to look at what is the impact if that risk were to be realised. What is the impact on our organisation.

Then what we’re going to do is generate a risk score and that risk score is is going to generate a consistent approach to our risk treatment and our risk accept acceptance.

Risk Likelihood

If I was to go through and have a look at the risk treatment procedure what you can see within there is that we have within the risk assessment aspect of that, we have a table, so this is an example, let me show you an example of the table, a likelihood table where we’re scoring likelihood on a one through five range, from one being rare, highly unlikely to occur, five being highly probable.

You can change the definitions of this based on your environment, you know, if you’re in financial services, high transactions, then highly probable could be in seconds and minutes not months and years and weeks but this works for the majority of the small businesses that I engage with. Highly probable, likely to happen within the next month, rare is highly unlikely to happen.

Risk Impact

So you’re going to have a likelihood table and you’re going to have an impact table. Aagain I’m just going to show you what that can look like. Impact again on a one through five range where one is very low, score of one and high is a five, very high is a five.

When it comes to impacts we’re looking at legal and regulatory impact, impact on our customers, impact on the health and safety of individuals.

So we can see that very low as no perceived impact.

Very high is a Legal and Regulatory breach, it’s an impact on health and safety, risk to life, or it’s generating system downtime outage that leads to a contractual loss and then there’s a graduation within that.

Risk Score Formula

What you’ve then got is a multiplication formula, you multiply the likelihood by the impact and that generates a score and I’m going to put a copy up here of the risk mitigation strategy based on that score.

Risk Mitigation Strategy

That score will generate some default behaviour which can be overridden but what we’re looking at here is, you know by default, a minor risk is something that we would accept, a critical risk is something that by default we would reduce and if we want to accept it it would require the sign off of the CEO to sign that off. So what you can see is we’ve got a risk management process.

What I’m going to do is I’m going to point you here and say go and have a look at the The Ultimate Guide to the ISO 27001 Risk Register that relates to the risk register and how these informational elements transpose into the day-to-day operation of the risk register.

Conclusion

There’s a couple of Clauses that we’re going to look at that rely on the risk register so I’m not going to cover that in detail here. I want you to call out and have a look at that Ultimate Guide to the ISO 27001 Risk Register but know the fact that you’re assessing your risks, you’re looking at the likelihood, you’re looking at the impact, you’re generating a score, then based on that score you’re taking some default action, you’re classifying that risk with a level, you are allocating risk owners, you are identifying your risks within the information security management system scope and as part of your overall risk management process and implementation you’re clearly going to satisfy this particular ISO 27001 Clause.

So that was ISO 27001 Cause 6.1.2 Risk Assessment.

My name is Stuart Barker. I am the ISO 27001 Ninja. Be sure to check back for the next blog which is looking at risk treatment but for now peas out.