Information Risk Assessment and Treatment in ISO 27001

Clauses 6 and 8 of ISO 27001 mandate that organisations must not only perform risk assessments as part of establishing and maintaining an information security management system (ISMS), but must also establish a defined process for conducting these assessments.  This process ensures that the results are consistent, valid, and comparable over time.  To achieve this, your organisation needs to determine specific criteria that the risk assessment process must meet.

The aims of a risk assessment are to identify potential threats and vulnerabilities to your organisation’s information assets, evaluate the likelihood and impact of these risks, and prioritise actions to mitigate or manage them.  This process ensures that security measures are proportionate to the actual risks faced by your organisation, rather than being arbitrarily implemented.  Annex A of ISO 27001 has a list of controls that you may implement to help mitigate and/or manage risks that are identified.  Additionally, ISO 27001 risk assessments allow you to produce your statement of applicability (SoA), a mandatory report that states which Annex A controls you have implemented, and which you have excluded.

Clause 6 and 8 themselves do not define a specific methodology for conducting risk assessments but rather provide you with the flexibility to choose a process that is appropriate for your organisation.  However, whilst there is flexibility in selecting which process works best for your organisation, there are some mandatory features of a risk assessment and treatment process that need to be included.

When conducting an ISO 27001 risk assessment, you should first define the scope against which the risk assessment will be conducted.  This includes identifying assets, systems and processes within your organisation that would fall in scope of the ISMS.  A helpful document in establishing this scope is ISO 31000, the International Standard for Risk Management, which can serve as a valuable framework for designing and implementing an effective risk assessment process.

Once the scope of the risk assessment has been established, the next step would be to establish the risk assessment methodology, which includes the criteria for assessing risk, as well as risk scoring mechanisms. There are 3 sets of criteria that the Standard expects you to consider; Clause 6 includes criteria associated with the triggers for performing risk assessments (e.g., annual review, changes to external or internal issues, incidents, etc.) and with risk acceptance criteria, i.e., under what circumstances different levels and types of risk can be accepted, by whom, and for how long.  Meanwhile, Clause 8.1 refers to the criteria that must be met to ensure consistent results, for which you will need to define risk criteria that include how risks will be assessed, what levels of risk are acceptable and how to manage risks that are outside of tolerance.  Risks should be scored against an agreed upon matrix such as a 5 x 5 likelihood and impact scale.

Your next step is to identify potential risks to information security by reviewing the in-scope assets and determining potential threats and vulnerabilities.  One of the ways we have found useful for achieving this is to ‘reverse engineer’ the controls from Annex A of the Standard to highlight what issues may occur if that control was not to be implemented.  Another method is to use ISO  27005, the International Standard for Information Security Risk Management, which contains various annexes relating to examples of typical threats and vulnerabilities and methods for vulnerability assessment.

Once risks have been identified, you will be able to move into the analysis and evaluation phase of the risk assessment process, which involves using the agreed matrix for scoring likelihood and impact to determine the threat and/or vulnerability’s overall risk score/level.  The likelihood score should reflect the probability of the risk materialising, while the impact score should represent the potential consequences if the risk were to occur. These consequences may vary depending on the scope of your risk assessment but typically include factors such as financial loss, reputational damage, and other organisational impacts.

‍

‍

Now that risks have been scored and evaluated to be within or outside of your organisation’s tolerance, risk treatment options can be reviewed.  These options are referred to by a number of names, but here we will refer to them as accept, avoid, reduce and transfer (AART).  Where the risk is within your tolerance, you may wish to accept the risk level as it is, or, where appropriate, you may choose to avoid the risk all together by discontinuing the activity that is presenting the risk.  Your organisation can also transfer the risk to a third party, which, in most cases, would be an insurer.  Finally, your organisation may adopt one of the most common treatment options, which is to reduce the risk by implementing controls such as those from Annex A of the Standard.

Once treatment options have been selected, your organisation should implement the necessary treatments identified.  Where ‘reduce’ has been chosen, ISO 27001 Annex A provides a list of 93 controls that may be applied, covering areas such as access control, physical security, incident management, etc.  This list of controls is not exhaustive and additional controls can be used in conjunction with the controls included in Annex A.

Finally, after all the above steps have been followed, you will be in a position to document the results of your risk assessments, the findings, the decisions and treatments in a risk treatment plan, which is a mandatory document for ISO 27001 conformance.  You are required to monitor, review and regularly revisit these risk assessments to ensure changes to threat landscape, your organisation or to technology have not impacted any of the risks that were identified.