Five Steps to an Effective ISO 27001 Risk Assessment

Risk assessment is a critical step in your ISO 27001 certification journey. An organization-wide risk assessment, in fact, is the central focus of ISO 27001. The information security standard helps to protect an organization’s information assets by identifying the risks and protecting them by deploying relevant security controls and measures.

In this article, we highlight the main steps to an effective ISO 27001 risk assessment and discuss the best practices involved in going about this critical step. And don’t miss our ‘quick and dirty’ cheat sheet on risk assessment at the end of the article.

What is ISO 27001 risk assessment?

The ISO 27001 risk assessment is a systematic process by which an organization identifies its information security risks, their likelihood, and their impact, so as to implement plans to mitigate them. It follows the setting up of a robust and cost-effective Information Security Management System (ISMS).

The entire process is complex and requires a detailed and integrated approach to risk management – from risk identification to risk assessment, and eventually executing a risk treatment plan to mitigate the risks.

How to perform ISO 27001 risk assessment

Risk assessment is subjective; no two organizations can have identical risks and assessments. Here are some points you should consider. 

• How do you determine risk? 
• How will you identify the information security risks to your organization? 
• What standard process will you follow to estimate risk likelihoods and impacts? 
• What level of risk is acceptable to your organization?

A standardized definition and process will help determine the starting point for establishing the framework. Make sure you document all the steps.

Here is the five step procedure to perform ISO 27001 risk assessment for your organization:

1. Identify the risks, threats & vulnerabilities to your assets

To begin with, make a list of the information assets across your organization. These would include your software, hardware, databases, and intellectual property, to name a few. Once you have a comprehensive asset list, identify the risks to each asset – risks that could impact the confidentiality, integrity, and availability of each listed information asset. 

Your threats and vulnerabilities could range from unauthorized access to your database to embezzlement and espionage to inadequate data backup, and password management, to name a few. As we mentioned earlier, the risks are subjective and dependent on the organization’s scope of ISMS, its business type, and operating environment. 

Remember, your ISMS should define and document the list of assets included in its scope. It should also cite reasons for the exclusion of assets, if any.

2. Assigning owners to the identified risks

Often overlooked, this is an essential step in determining the success of your organization’s risk assessment exercise. For every risk, assign risk owners who would be in charge of monitoring the risk, and eventually implementing the risk treatment plans. 

3. Analyse the risks, their impact and the likelihood of occurrence

ISO 27001 doesn’t define any specific way to analyze and score the risks. It is, therefore, essential to determine an organization-wide standardized approach for the same. Remember, you will base your risk analysis on this pre-defined approach.

Once you have identified and defined your risk universe, the next step is to analyze the identified risks by assigning a likelihood of occurrence and ranking its potential impact on a scale of 1-10 (10 being the highest impact). You could also rank them Low-Medium-High.

4. Calculate the impact of risks

To calculate the impact of the risks, it is a good step to categorize them first. Depending on the nature of your business, your risk categories could be financial, legal, regulatory, and your reputation, to name a few. While rating the impact, you must also consider factors such as how fast the impact will be felt and the likelihood of its occurrence. 

The scores you assign (from 1-10 or low-medium-high) will help you design and prioritize your risk treatment process. 

5. Deploy risk mitigation and treatment plan 

Now that you have analyzed the risks and assigned an impact to them, the next step is to define and design a risk treatment plan around them. Doing this is a crucial step, and you must maintain comprehensive documentation of the same.

The risk treatment plan, in short, documents your responses to the threats, vulnerabilities and risks you have identified in your risk assessment exercise. Know that this piece of document is critical to your ISO 27001 certification. Your external auditor will go over it in detail during your ISO 27001 certification audit and the subsequent periodical audits.

Before we dive into your risk responses, it’s essential to define the risk acceptance criteria – what are acceptable risks for your organization? This benchmark would help you design an appropriate risk treatment plan. The ISO 27001 standard lines up four possible risk treatment options. They are:

Treat the risk

If the risk score is above what’s acceptable, you can reduce its impact or likelihood by deploying the security controls as outlined in the ISO 27001 controls in Annex A. Security awareness training, access control, penetration testing, and vendor risk analysis are some of the ways you can treat risks.

Avoid the risk

Another response to the identified risk is to look for ways for avoiding the risk altogether. If the risk-return matrix is lopsided, you can choose to avoid the risk in totality.  For instance, if you are a remote-only organization, you can avoid the risk of maintaining the physical security of your production infrastructure or data centers.

Transfer the risk

Where feasible, you could modify the risk by transferring it to a third party. You could do this by contracting vendors, outsourcing a particular job function, or buying insurance, for instance. 

Accept the risk 

The objective of your risk treatment plan is to bring the risk levels of your information assets, wherever possible, to an acceptable level. Remember, you can’t eliminate all your risks. You can devise a detailed plan on what should be done in the event of a ‘risky eventuality’. These include data breaches, cybersecurity attacks and other such incidents that risk the security of your data. Your risk treatment plan should include well-thought incident response and incident management.

Risk treatment plan and Statement of Applicability

Your Risk Treatment Plan and Statement of Applicability are two crucial documents in your ISO 27001 journey. 

Clause 6.1.3 of the ISO 27001 Standard states that an SOA must contain the following:

• List of controls identified as a response to the identified risks
• An explanation for the choice of controls, how they have been implemented, and reasons for the omission of controls, where applicable)

A Statement of Applicability outlines whether each of the controls defined within Annex A of the ISO 27001 standard will be applied or not based on your Risk Treatment Plan. For each risk, you must evaluate the options for treatment.

For instance, applying controls, accepting, avoiding or transferring risks. The SOA must comprise the actions performed based on the selected option. Again, management approval with documentation is needed for each situation where risks are accepted.

If you are finding it difficult to implement ISO risk assessment then talk to experts about how you can simplify this process.

ISO 27001 Risk Assessment Examples

The risks vary depending on the industry and other factors. However, here is what a risk assessment table looks like in general. Let us see some examples of ISO 27001 risk assessment.

S. No.	Threat	Vulnerability	Risk Impact (Out of 10)	Mitigation
1	Malware, ransomware, and viruses	Lack of antivirus program and weak firewall defense	7-8	Install and regularly update the antivirus program. Have a secure firewall in place.
2	Unauthorized access to sensitive data	Weak and common system/server passwords and unorganized access controls	8-10	Have strong password policies in place with two-factor authentication and implement access controls
3	Social Engineering (Phishing Attacks)	Lack of security awareness training among the company’s staff	8-10	Conduct security awareness training sessions with employees to identify and prevent social engineering attacks
4	Physical theft or unauthorized access to server rooms	Lack of physical security measures	5-7	Install surveillance cameras, access control systems, and alarm systems to improve your physical security

Also check out: Requirements of iso 27001

ISO 27001 risk assessment template

The overall objective of the risk assessment exercise is to implement a risk treatment plan using ISO 27001 controls list such that your organization’s residual risk is acceptable. The primary objective is business continuity. 

You will do well to keep this in mind while selecting a risk assessment and treatment template. While there are many free ISO 27001 risk assessment tools and templates,  choose one that fits your organization’s risk universe. A simple spreadsheet with a logical approach to asset-based risk management can also help here.

ISO 27001 risk assessment report

The ISO 27001 risk assessment report will provide an overview of what you find. It would be reviewed meticulously during your ISO 27001 internal audits as well as certification audits. It should include the following:

• List of information assets and asset owners, risk assessment framework (includes the criteria for accepting risk), and management approval for acceptance of residual risks, to name a few. 

• The risk treatment applied and the impact of the risk affecting the availability, integrity and confidentiality of each your assets after and before treatment.

• Order of priority for treating the risks, the controls applied, and target timeline for applying the treatment.

• A comprehensive risk management framework that describes all steps and relevant methods required to be carried out in terms of the risk assessment process. These include asset identification, threat & vulnerability identification, control analysis, business impact analysis, risk determination, control recommendations as well as results documentation.

These apart, your documentation should also include the evaluation periodicity of the controls. An internal audit of your controls will help find glaring gaps, if any, in the process. A gap analysis will help you ensure you are on the right track.

Simplify ISO 27001 risk assessment procedure with Sprinto

Sprinto’s newly-introduced Integrated Risk Assessment feature has been designed to ensure your approach to risk assessment is as holistic as it is sure-footed. From identifying risks to assessing their impacts to mitigating them, the entire risk management process has now been broken down into easy-to-understand, scalable and framework-agnostic steps in the app.

What’s more, you needn’t worry about having missed any pertinent risk(s), thanks to Sprinto’s expertly-organized risk library.  

Here’s a look at why Sprinto’s Integrated Risk-Assessment feature can help you: 

Curated risk profile

With Sprinto’s curated risk register, your risk assessment will be more exhaustive but without the exhaustion of it! With a comprehensive risk library, Sprinto will now give you a 360-degree view of org-wide, entity-down risks. As a result, you will only work with the risks relevant to your business instead of wasting time chasing tangential ones. 

Rate your impact with insight 

Rating the impact of the identified risks needn’t be just a game of guts. You can use Sprinto’s industry benchmarks as a sounding board to ensure you are on the right track. You can then dig into Sprinto’s pre-mapped controls list to decide your risk treatment and mitigation plan. The integrated risk-assessment feature is designed to ensure you are sure every step of the way.

Single-screen management

You needn’t meticulously maintain versioning of spreadsheets and to and fro mailers to get management approval anymore. You can now assess, review, edit, and ready your organization’s risk profile from the comfort of a single screen.

You can also get your management to review the risk register simply by adding them to the platform. And once you have the management buy-in, your onboarded auditors can review and audit your risk profile on their dashboard. It is that simple. 

Wrapping Up

So, that’s all about ISO 27001 risk assessment. The importance of risk assessment is quite evident, and you should be following the risk assessment practices not just from a compliance point of view but from an overall security aspect as well.

However, you can skip the lengthy spreadsheets and can automate most of the risk assessment processes to generate compliance-ready reports and more. Sprinto is a great risk assessment and compliance automation solution and can be a good fit for your organization. You can request a demo to see for yourself. Make risk assessment a strength. Talk to us today!

FAQs

Is ISO 27001 risk assessment mandatory?

Yes, risk assessment is a requirement for the ISO 27001 standard. To get certified, you need to identify the risks associated with confidentiality, integrity, and availability of the assets defined in the ISMS.

Why is risk assessment important in ISO 27001?

The ISO 27001 risk assessment is important because it helps organizations identify the potential risks and vulnerabilities in the current IT security setup. By doing so, organizations can work on risk mitigation approaches to eliminate potential security threats.