ISO 27001 Information Security Risk Assessment

Home / ISO 27001 / ISO 27001 Information Security Risk Assessment

hello! I’m Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Clause 6.1.2 Information Security Risk Assessment. Come with me as we do a deep dive into how to satisfy this requirement to be successful at your ISO 27001 Certification.

ISO 27001 Information Security Risk Assessment is covered in ISO 27001 Clause 6.1.2 Information Security Risk Assessment. Here we take a look at how to implement it.

Watch

Definition

So we start the process by understanding the requirement and we do that by looking at the definition. We’re going to understand what the standard wants from us so that we can work out what we need to comply and satisfy this ISO 27001 Clause. This is quite a big clause so buckle up.

The standard defines ISO 27001 Information Security Risk Assessment as:

The organisation shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
1) the risk acceptance criteria; and
2) criteria for performing information security risk assessments;
b) ensures that repeated information security risk assessments produce consistent, valid and
comparable results;
c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with
the loss of confidentiality, integrity and availability for information within the scope of the
information security management system; and
2) identify the risk owners;
d) analyses the information security risks:
1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to
materialize;
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
3) determine the levels of risk;
e) evaluates the information security risks:
1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2) prioritise the analysed risks for risk treatment.
The organisation shall retain documented information about the information security risk assessment
process.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

Implementation Guide

We’re going to take a look at a couple of artefacts that are nice and easy and quick and simple about how you can go about addressing this particular part of the ISO 27001 Clause.

So ISO 27001 Clause 6.1.2 the organisation shall define and apply an information security risk assessment process that – now this is broken down into five parts – it wants the risk assessment to establish and maintain a risk criteria, ensure that repeated information security assessments produce consistent results, identify the information security risks, analyse the information security risks and then evaluate those information security security risks.

Documented Process

So the way that we’re going to do that is first of all we’re going to have a documented process. So we’re going to have a documented risk process. The documented risk process that you can download as a Risk Management Process Template or that you get as part of the ultimate ISO 27001 Toolkit, or that you can create yourself but you need a documented process.

Within that documented process you’re going to implement risk identification, risk assessment, risk treatment. You’re going to have that documented process.

The reason you have a documented process is about documented maturity, so, it wants us to have a repeatable process that generates the same results irrespective of the person that does it and how they do it. Having it documented, we follow a structured approach.

ISO 27001 Risk Management Procedure Template

Identify Information Security Risks

We’re going to identify our information security risks but we’re going to identify them for the in scope, that is the things in scope of the information security management system. It’s important to note that. I mean it is a slight nuance, a slight subtlety but we’re looking for risk assessment within the scope of the information security management system.

Identify and Assign Roles

We’re going to identify risk owners. There are a number of roles that happen when it comes to risk.

You’ve got:

risk owners – the owner of the risk that is accountable for the risk and the risk treatment

asset owners – the owner of the asset to which the risk applies

risk treatment owners – the owner of the risk treatment plan

Risk Analysis

When we have assigned our roles, we’re going to do some analysis.

We’re going to look at things like – what is the likelihood of a risk occurring? We’re going to score that risk likelihood. To do that we’re going to have a table and we’re going to put together a table with scoring within it and guidance within it.

We’re going to look at what is the impact if that risk were to be realised. What is the impact on our organisation.

Then what we’re going to do is generate a risk score and that risk score is is going to generate a consistent approach to our risk treatment and our risk accept acceptance.

Risk Likelihood

If I was to go through and have a look at the risk treatment procedure what you can see within there is that we have within the risk assessment aspect of that, we have a table, so this is an example, let me show you an example of the table, a likelihood table where we’re scoring likelihood on a one through five range, from one being rare, highly unlikely to occur, five being highly probable.

ISO27001 Risk Likelihood Table

You can change the definitions of this based on your environment, you know, if you’re in financial services, high transactions, then highly probable could be in seconds and minutes not months and years and weeks but this works for the majority of the small businesses that I engage with. Highly probable, likely to happen within the next month, rare is highly unlikely to happen.

Risk Impact

So you’re going to have a likelihood table and you’re going to have an impact table. Aagain I’m just going to show you what that can look like. Impact again on a one through five range where one is very low, score of one and high is a five, very high is a five.

ISO 27001 Risk Impact Table

When it comes to impacts we’re looking at legal and regulatory impact, impact on our customers, impact on the health and safety of individuals.

So we can see that very low as no perceived impact.

Very high is a Legal and Regulatory breach, it’s an impact on health and safety, risk to life, or it’s generating system downtime outage that leads to a contractual loss and then there’s a graduation within that.

Risk Score Formula

What you’ve then got is a multiplication formula, you multiply the likelihood by the impact and that generates a score and I’m going to put a copy up here of the risk mitigation strategy based on that score.

Risk Mitigation Strategy

That score will generate some default behaviour which can be overridden but what we’re looking at here is, you know by default, a minor risk is something that we would accept, a critical risk is something that by default we would reduce and if we want to accept it it would require the sign off of the CEO to sign that off. So what you can see is we’ve got a risk management process.

ISO 27001-Risk-Classification-and-Mitigation-Table

What I’m going to do is I’m going to point you here and say go and have a look at the The Ultimate Guide to the ISO 27001 Risk Register that relates to the risk register and how these informational elements transpose into the day-to-day operation of the risk register.

Conclusion

There’s a couple of Clauses that we’re going to look at that rely on the risk register so I’m not going to cover that in detail here. I want you to call out and have a look at that Ultimate Guide to the ISO 27001 Risk Register but know the fact that you’re assessing your risks, you’re looking at the likelihood, you’re looking at the impact, you’re generating a score, then based on that score you’re taking some default action, you’re classifying that risk with a level, you are allocating risk owners, you are identifying your risks within the information security management system scope and as part of your overall risk management process and implementation you’re clearly going to satisfy this particular ISO 27001 Clause.

So that was ISO 27001 Cause 6.1.2 Risk Assessment.

My name is Stuart Barker. I am the ISO 27001 Ninja. Be sure to check back for the next blog which is looking at risk treatment but for now peas out.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing