Risk assessment is a critical step in your ISO 27001 certification journey. An organization-wide risk assessment, in fact, is the central focus of ISO 27001. The information security standard protects an organization’s information assets by identifying the risks and protecting them by deploying relevant security controls and measures. In this article, we highlight the main steps to an effective ISO 27001 risk assessment, and discuss the best practices involved in going about this critical step. And don’t miss our ‘quick and dirty’ cheat sheet on risk assessment at the end of the article.
What is an ISO 27001 Assessment?
Risk assessment, plainly put, is the process by which an organization identifies its many information security risks, and their likelihood and impact. It’s a critical step in your ISO 27001 certification, and forms the foundation of your information security practices. It follows the setting up of a robust and cost-effective Information Security Management System (ISMS).
The entire process is complex and requires a detailed and integrated approach to risk management – from risk identification to risk assessment, and eventually executing a risk treatment plan to mitigate the risks.
How to do a Risk Assessment for ISO 27001?
As you may have realized, risk assessment is subjective; no two organizations can have identical risks and assessments. But before you begin the process, it is a good practice to define your approach to it.
- How do you determine risk?
- How will you identify the information security risks to your organization?
- What standard process will you follow to estimate risk likelihoods and impacts?
- What level of risk is acceptable to your organization?
A standardized definition and process (aka risk assessment methodology) will help determine the starting point for establishing a risk management framework. Remember to get management buy-in, review and approval at every step. And document the same.
As a practice, it’s a good idea to revisit and review risk assessments atleast once a year, or in the event of a material change in your operating environment.
Here’s a five-step process you can adopt to conduct a risk assessment for your organization:
Step 1: Identify the Risks, Threats & Vulnerabilities to your Assets
To begin with, make a list of the information assets across your organization. These would include your software, hardware, databases, and intellectual property, to name a few. Once you have a comprehensive asset list, identify the risks to each asset – risks that could impact the confidentiality, integrity, and availability of each listed information asset.
Your threats and vulnerabilities could range from unauthorized access to your database to embezzlement and espionage to inadequate data backup, and password management, to name a few. As we mentioned earlier, the risks are subjective and dependent on the organization’s scope of ISMS, its business type and operating environment.
Remember, your ISMS should define and document the list of assets included in its scope. It should also cite reasons for the exclusion of assets, if any.
Step 2: Assigning Owners to the Identified Risks
Often overlooked, this is an essential step in determining the success of your organization’s risk assessment exercise. For every risk, assign risk owners who would be in charge of monitoring the risk, and eventually implementing the risk treatment plans.
Step 3: Analyse the Risks, their Impact and Likelihood of Occurrence
ISO 27001 doesn’t define any specific way to analyze and score the risks. It is, therefore, essential to determine an organization-wide standardized approach for the same. Remember, you will base your risk analysis on this pre-defined approach.
Once you have identified and defined your risk universe, the next step is to analyze the identified risks by assigning a likelihood of occurrence and ranking its potential impact on a scale of 1-10 (10 being the highest impact). You could also rank them Low-Medium-High.
Step 4: Calculate the Impact of Risks
To calculate the impact of the risks, it is a good step to categorize them first. Depending on the nature of your business, your risk categories could be financial, legal, regulatory, and your reputation, to name a few. While rating the impact, you must also consider factors such as how fast the impact will be felt and the likelihood of its occurrence.
The scores you assign (from 1-10 or low-medium-high) will help you design and prioritize your risk treatment process.
Step 5: Deploy Risk Mitigation & Treatment Plan
Now that you have analyzed the risks and assigned an impact to them, the next step is to define and design a risk treatment plan around them. Doing this is a crucial step, and you must maintain comprehensive documentation of the same.
The risk treatment plan, in short, documents your responses to the threats, vulnerabilities and risks you have identified in your risk assessment exercise. Know that this piece of document is critical to your ISO 27001 certification. Your external auditor will go over it in detail during your ISO 27001 certification audit and the subsequent periodical audits.
Before we dive into your risk responses, it’s essential to define the risk acceptance criteria – what are acceptable risks for your organization? This benchmark would help you design an appropriate risk treatment plan. The ISO 27001 standard lines up four possible risk treatment options. They are:
Treat the Risk
If the risk score is above what’s acceptable, you can reduce its impact or likelihood by deploying the security controls as outlined in the ISO 27001 controls in Annex A. Security awareness training, access control, penetration testing, and vendor risk analysis are some of the ways you can treat risks.
Avoid the Risk
Another response to the identified risk is to look for ways for avoiding the risk altogether. If the risk-return matrix is lopsided, you can choose to avoid the risk in totality. For instance, if you are a remote-only organization, you can avoid the risk of maintaining the physical security of your production infrastructure or data centers.
Transfer the Risk
Where feasible, you could modify the risk by transferring it to a third party. You could do this by contracting vendors, outsourcing a particular job function, or buying insurance, for instance.
Accept the Risk
If the ISO 27001 certification cost is higher than the cost of its impact, you can choose to accept the risk. The objective of your risk treatment plan is to bring the risk levels of your information assets, wherever possible, to an acceptable level.
Remember, you can’t eliminate all your risks. You can devise a detailed plan on what should be done in the event of a ‘risky eventuality’. These include data breaches, cybersecurity attacks and other such incidents that risk the security of your data. Your risk treatment plan should include well-thought incident response and incident management.
Risk Treatment Plan & Statement of Applicability
Your Risk Treatment Plan and Statement of Applicability are two crucial documents in your ISO 27001 journey.
Clause 6.1.3 of the ISO 27001 Standard states that an SOA must contain the following:
- List of controls identified as a response to the identified risks
- An explanation for the choice of controls, how they have been implemented, and reasons for the omission of controls, where applicable)
A Statement of Applicability outlines whether each of the controls defined within Annex A of the ISO 27001 standard will be applied or not based on your Risk Treatment Plan. For each risk, you must evaluate the options for treatment.
For instance, applying controls, accepting, avoiding or transferring risks. The SOA must comprise the actions performed based on the selected option. Again, management approval with documentation is needed for each situation where risks are accepted.
ISO 27001 Risk Assessment Template
The overall objective of the risk assessment exercise is to implement a risk treatment plan using ISO 27001 controls list such that your organization’s residual risk is acceptable. The primary objective is business continuity.
You will do well to keep this in mind while selecting a risk assessment and treatment template. While there are many free ISO 27001 risk assessment tools and templates, choose one that fits your organization’s risk universe. A simple spreadsheet with a logical approach to asset-based risk management can also help here.
Download your ISO 27001 Risk Assessment Template
Risk Assessment ISO 27001 Report
The risk assessment report will provide an overview of what you find. It would be reviewed meticulously during your ISO 27001 internal audits as well as certification audits. It should include the following:
- List of information assets and asset owners, risk assessment framework (includes the criteria for accepting risk), and management approval for acceptance of residual risks, to name a few.
- The risk treatment applied and the impact of the risk affecting the availability, integrity and confidentiality of each your assets after and before treatment.
- Order of priority for treating the risks, the controls applied, and target timeline for applying the treatment.
- A comprehensive risk management framework that describes all steps and relevant methods required to be carried out in terms of the risk assessment process. These include asset identification, threat & vulnerability identification, control analysis, business impact analysis, risk determination, control recommendations as well as results documentation.
These apart, your documentation should also include the evaluation periodicity of the controls. An internal audit of your controls will help find glaring gaps, if any, in the process. A gap analysis will help you ensure you are on the right track.
Simplify ISO 27001 Risk Assessment Procedure with Sprinto
Sprinto’s newly-introduced Integrated Risk Assessment feature has been designed to ensure your approach to risk assessment is as holistic as it is sure-footed. From identifying risks to assessing their impacts to mitigating them, the entire risk management process has now been broken down into easy-to-understand, scalable and framework-agnostic steps in the app.
What’s more, you needn’t worry about having missed any pertinent risk(s), thanks to Sprinto’s expertly-organized risk library.
Here’s a look at why Sprinto’s Integrated Risk-Assessment feature can help you:
Curated Risk Profile
With Sprinto’s curated risk register, your risk assessment will be more exhaustive but without the exhaustion of it! With a comprehensive risk library, Sprinto will now give you a 360-degree view of org-wide, entity-down risks. As a result, you will only work with the risks relevant to your business instead of wasting time chasing tangential ones.
Rate your Impact with Insight
Rating the impact of the identified risks needn’t be just a game of guts. You can use Sprinto’s industry benchmarks as a sounding board to ensure you are on the right track. You can then dig into Sprinto’s pre-mapped controls list to decide your risk treatment and mitigation plan. The integrated risk-assessment feature is designed to ensure you are sure every step of the way.
You needn’t meticulously maintain versioning of spreadsheets, and to and fro mailers to get management approval anymore. You can now assess, review, edit, and ready your organization’s risk profile from the comfort of a single screen. You can also get your management to review the risk register simply by adding them to the platform. And once you have the management buy-in, your onboarded auditors can review and audit your risk profile on their dashboard. It is that simple.
Make risk assessment your strong suit. Talk to us today!