The international standard for information security, ISO27001, does not prescribe a specific risk assessment methodology, but it does require the risk assessment to be a formal process. This implies that the process must be planned, and the data, analysis and results must be recorded.
Unlike the former version of ISO27001 (released in 2005), in which you were required to identify assets, their respective threats and vulnerabilities, the new version (ISO27001:2013) only requires you to identify the risks to information security, in any shape or form.
A risk is usually defined as a threat combined with a vulnerability, but with ISO27001:2013 you need not go through the whole process of identifying threats and vulnerabilities separately – you can simply define and identify the risk as a whole. This is commonly referred to as a scenario-based risk assessment approach.
The former standard allowed risk assessors to apply only an asset-based risk assessment methodology, but the new standard is more lenient with regard to the risk assessment process, and a scenario-based risk assessment can now also be applied.
The following elements are important to establish before you embark on a risk assessment:
- Define the organisational context. Establish the controls that are required to be in place due to regulatory, contractual, or business requirements before you embark on your risk assessment.
- Establish how you will identify the risks that could affect the confidentiality, integrity and/or availability of your information (i.e. threat x vulnerability or risk scenario) – in other words, the risk assessment methodology.
- Identify the risk owners for each risk. Each risk must have an owner according to ISO27001:2013, and each risk owner must have the ability to hold accountability for that risk.
- Determine the risk criteria: each risk needs to be defined in terms of the compromise it represents to the confidentiality, integrity and/or availability of information, the impact it could result in and the likelihood of the risk coming to pass.
- Define your risk calculation – which could be impact + likelihood, or impact x likelihood, or other calculation methods.
- Define the risk acceptance criteria. The risk acceptance criteria will confirm whether the risks are adequately controlled (according to your criteria). The risk rating value you assign could indicate that the risks fall within the boundaries of your risk acceptance criteria or not.
It is advisable to agree and confirm the above items first before starting your risk assessment.
vsRisk, the simplest and most effective risk assessment software, now offers new and improved features that provides you with the option of either an asset- or scenario-based assessment methodology, to allocate risk owners to identified risks, to apply a preferred risk calculation and risk acceptance criteria, and automates the entire risk assessment process from start to finish.
vsRisk 2.4 is out on 29 September 2014, with brand new features and functions, including additional control sets (PCI DSS, NIST SP 800-53 and the Cloud Controls Matrix), a context-sensitive help function and added value reports. View the Vigilant website for more details.