hello I’m Stuart Barker the ISO27001 Ninja and in this blog we’re going to do an overview of ISO27001 Information Security Risk Treatment.

ISO27001 Risk Treatment is covered in detail in the implementation guide: ISO 27001 Clause 6.1.3 Information Security Risk Treatment but here we take a look at a summary overview.

Watch

Introduction

So, the risk treatment forms part of the wider risk management, there are blogs and videos and guides on risk management where we take a deep dive and there are other detailed implementation guides related to the other ISO27001 Clauses but here we’re going to look at information security risk treatment and then I’m going to give you some tips and some walkthroughs about how you can satisfy that. First of all we’re going to start off with a little look and see what the standard says then we’ll look at how we’re going to address it.

Definition

So, ISO27001 6.1.3 information security risk Treatment – the organisation shall define and apply an information security risk treatment process to

– we’re going to select the appropriate information security risk treatment options,

– we’re going to determine all of the controls that are necessary to implement the information security risk treatment options chosen,

– we’re going to compare those controls to ISO27001 annex A

– we’re going to produce a statement of applicability that contains the controls that mitigate our risks.

– We’re going to formulate our information security risk treatment plan and

– we’re going to obtain the approval, well, we’re going to identify risk owners and then we are going to obtain their approval for the risk treatment options that we’ve got.  

The standard also says that the organization shall retain documented information about the information security risk treatment process, so, you’re going to keep that history and you’re going to keep that documentation.

Let’s have a look through each one of those.

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

information security risk management procedure

So, the first thing we’re going to do is we are going to implement our risk management procedure.

ISO 27001 Risk Management Procedure Template

We’ve touched on it before so I don’t need to go into it in detail but there are various things that are covered within that and yes it’s an ISO27001 Template on the hightable.io website, yes it’s part of the ISO27001 Toolkit, as are all the documents. It looks at things like risk register, risk identification, risk assessment, and risk treatment, which is the thing that we’re interested in today.

ISO27001 Risk Treatment Options

We’re going to identify what our risk treatment options are for us. Risk assessment generates a risk score – we covered that in ISO27001 Risk Assessment and based on that score we have a risk treatment option. Our risk treatment options are going to be –

  • risk avoidance
  • risk reduction
  • risk acceptance
  • risk transfer

Risk avoidance

Risk avoidance is where the failure cost is too great and therefore, the risk is not taken and we don’t accept the risk.

Risk reduction

Risk reduction is where the gross risk is high thereby reducing the probability or impact of the risk through controls.

Risk acceptance

Risk acceptance is where the gross risk is accepted as it stands.

Risk Transfer

Risk transfer is that we transfer part of a risk to a third party, for example, via insurance or outsourcing.

ISO27001-Risk-Classification-and-Mitigation-Table

Determining Controls

So, we’ve identified what our risk treatments options are, now we’re going to determine the controls that are necessary, now determining the control for B and C in the standard, I kind of flip these around a little bit.

The actual way that you go about it is you identify what the risks are to your information security management system, you identify what the risks are to your information security posture and then you choose the controls that help to mitigate those risks, okay, so it’s kind of like horse before the cart in terms of the standard.

The standard is saying – go away and choose some controls then compare it to the ISO27001 Annex A. I find the easiest way of doing it is going through the Annex A and then picking the controls within Annex A that mitigate the risks that you’ve got.

Now the reality again, top tip, the reality is the majority of the controls are going to be controls that you’re going to implement so start with a statement of applicability, looking at the risks that you’ve identified choose the controls from the statement of applicability, then if there are additional controls that you think that you need then add them on.

I would therefore flip those two the other way around.

ISO27001 Statement of Applicability

So we’ve gone through our risk, we’ve identified our risk, we know what our risk treatment options are, we’ve now picked our controls, what the standard then says is to create a statement of applicability. Again, there are videos on the statement of applicability but let’s take a little look at what that looks like.

When it comes to our statement of applicability the template that is on high table actually covers the 2013 and the 2022 version. Let’s look at the 2022 Version.

ISO27001 2022 Statement of Applicability Laptop

So, the way that the statement of applicability is set out is we take the annex a controls and we list what those annex A controls are, we set the control objective, then we need to know why we need it – so here what you can see is we have the driver of why this is required, either it’s a business need, a risk need, a legal need or a contractual need. There is an argument to be said that within our statement of applicability, if it is a risk reason, that we can from a bureaucratic overhead point of view, map which particular risks this control satisfies. Whether you do that on the risk register, or whether you do that in the statement of applicability is up to you but I prefer to keep the statement of applicability as clean as possible and I keep it nice and simple. What we then state is whether or not this control is applicable or not. We record the date it was last assessed and if it isn’t applicable, which some of the controls won’t be, then we put why this is not applicable.

Risk Treatment Plan

So, we’ve identified and we’ve recorded our statement of applicability, we’ve looked at the necessary controls, we put that justification for inclusion, we’re putting in whether their necessary controls are implemented or not and we’re putting for the justification for exclusion, if it is the case that we are not going to implement a control and remember that the controls this is a risk-based system.  A lot of people will go through this and think it’s a checklist, it isn’t, we’re choosing our controls based on our risk and it is absolutely appropriate that some of these controls we’re not going to have. It is equally appropriate that some of these controls we’re just going to accept the risk, not actually necessarily going to mitigate the risk by implementing the control to the end degree.

Then what we do is we formulate our risk treatment plan. The way that we formulate our risk treatment plan is we populate, and we use our risk register, the risk register tool is a fundamental tool in our arsenal when it comes to the management of risk. I’m not going to go through in detail the risk register as there is another video on that that looks at all about how we do the risk, risk treatment, risk when it was first identified and residual risk but what I am going to show you is how we record that within the risk register. Be sure to check out the other video on the deep dive into the risk register but what we can see is we’ve got the risk scoring and we are going to formulate our risk treatment plan by identifying what that risk treatment is.

Risk Register

ISO 27001 Risk Register Example 2

We’re going to identify what our risk treatment plan is, we’re going to allocate a treatment owner, we’re going to set a treatment date, then we’re going to record whether or not it’s open or closed or not. Actually, once we’ve completed our treatment we’re then going to rescore our risk and this is called residual risk. So, what we do is we identify what the new control or controls are, we rescore it and that generates a new risk score – just as a point of note what should happen is that our risk when first identified and our residual risk, that risk posture should improve, we shouldn’t necessarily be doing a risk treatment that doesn’t mitigate, reduce, address, or treat that risk. We don’t want those risks increasing.

So, there’s a lot of information within there and a lot within the risk register. Once we’ve done that what we’re going to do then is we are going to identify who our risk owners are. Again, we can record that in the risk register and then we’re going to seek approval from them for that risk treatment plan.

Conclusion

So that is how we address our risk treatment and what we’re doing is we’re documenting all of that – so we have our risk register, we have our risk scoring, we have our archive you know, we have our previous version, so that we’ve got documented evidence of that. It may be the case that when you do your risk treatment planning, again depending on how mature you are, whether or not you follow some kind of project methodology, that you can supplement that and more detailed documentation around risk treatment plans but from the information security management perspective just recording it in the risk register is going to be sufficient

For today that was ISO 27001 Clause 6.1.3 information security risk treatment. As we continue our journey through, those the templates that you’ve seen today are available for download from the High Table ISO27001 store, clearly, they’re part of the iso 27001 Toolkit, so be sure to check those out if it’s something that you would see some benefit in and gain from.

So, I am Stuart Barker. I am the ISO27001 Ninja. That was ISO27001 Clause 6.1.3 information security risk treatment and until the next blog, peas out