ISO 27001 Information Security Risk Assessment – Tutorial

Home / ISO 27001 Tutorials / ISO 27001 Information Security Risk Assessment – Tutorial

Introduction

In this tutorial we will cover ISO 27001 Risk Assessment.

You will learn what ISO 27001 Risk Assessment is and how to implement it.

ISO 27001 Risk Assessment

So we start the process by understanding the requirement. We’re going to understand what the standard wants from us so that we can work out what we need to comply and satisfy this ISO 27001 requirement.

The information security risk assessment process should

  • Establishes and maintain information security risk criteria that include the risk acceptance criteria and criteria for performing information security risk assessments.
  • Ensure that repeated information security risk assessments produce consistent, valid and
    comparable results.
  • Identifies the information security risks
  • Apply the information security risk assessment process to identify risks
  • Identify risk owners
  • Analyses the information security risks
  • Assess the potential consequences that would result if the risks were to materialise
  • Assess the realistic likelihood of the occurrence of the risks identified
  • Determine the levels of risk
  • Evaluate the information security risks
  • Compare the results of risk analysis with the risk criteria established
  • Prioritise the analysed risks for risk treatment
  • Keep documentation

Information Security Risk Management Procedure

The first step is to implement a risk management procedure.

The risk management procedure will cover

  • how you identify risk
  • how you assess risk
  • how you treat risk
  • how you manage risk
  • the risk register

ISO 27001 Templates

ISO 27001 Risk Management Procedure Template

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

Risk Assessment

You will perform risk analysis of the risks that you identify. This analysis will create a risk score. The risk score is based on the likelihood of the risk occurring and the impact if that risk were to be realised.

Risk Likelihood

Risk likelihood is table of scores and thresholds that you can define that categorise how likely an event is to occur and in what time frame. An example risk likelihood would be:

ISO27001 Risk Likelihood Table

You can change the definitions of this based on your environment. For example if you’re in financial services with high transactions then ‘highly probable’ could be measured in seconds and minutes not months and years.

Risk Impact

Impact is what is the result to you if the risk happens. This can be measured based on factors such as legal impact, business impact, financial impact and an example risk impact table would be:

ISO 27001 Risk Impact Table

In this example you can see that ‘very low’ has no perceived impact where as ‘very high’ is a Legal and Regulatory breach or an impact on health and safety or a risk to life or it’s generating system downtime outage that leads to a contractual loss.

Risk Score Formula

To generate a risk score the formula is – you multiply the likelihood by the impact and that generates a score.

Likelihood x Impact = Risk Score

Risk Mitigation Strategy

That score will generate some default behaviour which can be overridden but what you are looking at here is an example risk mitigation strategy where a minor risk is something that we would accept, a critical risk is something that by default we would reduce and if we want to accept it it would require the sign off of the CEO to sign that off.

ISO 27001-Risk-Classification-and-Mitigation-Table

Conclusion

That is risk assessment and for further reading look at the The Ultimate Guide to the ISO 27001 Risk Register that relates to the risk register and how these informational elements transpose into the day-to-day operation of the risk register and overall risk management.

ISO 27001 Risk Assessment – Training Video

ISO 27001 Toolkit Business Edition

ISO 27001 Toolkit | Beginner Friendly | Free Support | 5 Day Build

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing