Getting organised to tackle a risk assessment for information security purposes requires quite a lot of planning and legwork. The following nine steps describe the basic process of conducting a risk assessment in line with the requirements of ISO 27001. In this case, we have followed an asset-based risk assessment, although ISO 27001:2013 does not specify that an asset-based methodology has to be followed.
-
Before getting started, you need to establish which controls are already in place to meet contractual, regulatory and legal obligations, and then set out the rules governing how you intend to identify risks (your risk assessment approach or methodology).
-
It is important to define the following:
- How you plan to identify the various risk owners to take accountability for the risks.
- The risk criteria that you are going to apply (how the risk will affect the confidentiality, availability and integrity of the information).
- The impact of the risk and likelihood of the risk occurring.
- The method of calculating the overall risk (for instance, by using the likelihood x impact formula).
-
You should also determine your organisation’s appetite for risk and the risk acceptance threshold, which will require input from the organisation’s management team.
-
Following that, a good starting point is to compile a list of information assets. It will be easier to work from an existing list of information assets, such as hard copies, electronic files, removable media, mobile devices, etc. Compiling a list of such assets does not come without challenges, though. Intangibles such as intellectual property must be included. Most companies already have this list of assets and they can simply work from it, expanding it where necessary.
-
Once you have drawn up a comprehensive list of your assets, the next step is to identify the threats and vulnerabilities that apply to each asset. For instance, in the case of a company mobile device, the threat could be ‘theft of mobile device’, while the vulnerability can be ‘lack of formal policy for mobile devices’.
-
Once you have gone through the entire process of applying threats and vulnerabilities to assets, you should qualify the extent of the risk by assigning values based on your risk criteria (the impact x likelihood values of the risk coming to pass).
-
The next step is to mitigate the risks in order to reduce them to an agreed, acceptable level. You may wish to treat the risk (by implementing a control), tolerate the risk (owing to a specific corporate decision), transfer the risk to an insurance firm or other third party, or totally eliminate the risk (by taking action such as scrapping a specific process completely).
-
ISO 27001 provides a comprehensive list of recommended controls that can be applied to treat the identified risks effectively. In order to keep a detailed audit trail, you should collect proof that controls have been implemented, allocate due dates for implementation and assign owners for each of the risks.
-
Reporting is the last but not the least critical element of the risk assessment process. ISO 27001 requires that a Statement of Applicability be drawn up that specifies the ISO 27001 controls relevant to your business and why those controls have been selected. The risk treatment plan provides a summary of each of the identified risks, the responses that have been designed for each risk, the parties responsible for those risks and the target date for applying the risk treatment.
vsRisk™ provides a simple and cost-effective alternative to manually conducting information security risk assessments, covering all of the key processes, resources, databases and lists required for executing a risk assessment, in addition to providing a sample risk assessment to help speed up the process.
This infographic explains how vsRisk will help you through every step of the risk assessment process:
vsRisk simplifies and speeds up the risk assessment process, cuts costs and ensures accurate, repeatable risk assessments, year after year.