Risk assessment is without a doubt the most fundamental, and sometimes complicated, stage of ISO 27001. Getting the risk assessment right will enable correct identification of risks, which in turn will lead to effective risk management/treatment and ultimately to a working, efficient information security management system.
So, which risk assessment methodology is right for ISO 27001? Do you have to use a specific methodology? Do you have to utilize other risk management standards such as ISO 27005, or are you free to choose whichever methodology is best? We explore these questions and more in this article.
As mentioned above, risk assessment is an imperative, key stage of establishing an effective information security
management system.
Identifying and treating risks is the fundamental concept of an information security management system – and all ISO 27001 certified information security management systems must have a working risk identification and treatment process in order to be successful. With this in mind, let’s explore the core requirements of a risk assessment methodology.
1. Consistent, repeatable, comparable results
The risk assessment methodology must be a consistent, repeatable process that produces comparable results over time. The reason for this is to ensure that risks are identified using consistent criteria, and that results do not vary dramatically over time.
Using a methodology that is not consistent i.e. produces widely varied results time after time, does not provide an accurate representation of risks to the business and cannot be relied on. Remember the reason you are performing risk assessments, it is not to satisfy the auditor it is to identify risks to your business and mitigate these. If the results of this process are not useful, there is no point in doing it!
2. Planned Intervals
Risk assessments must be performed at planned intervals, or when significant changes to the business or environment occur. It is usually good practice to set a planned interval e.g. annually to conduct an ISMS-wide risk assessment, with criteria for performing these documented and understood.
If there are major changes to the environment i.e. network re-design, moving premises, on-boarding new departments, changes to risk appetite etc. then a risk assessment should be conducted to quantify the risks that these changes may have on the business.
3. Document, Document, Document
The risk assessment methodology should be available as documented information, and should contain or be supported by a working procedure to explain the process. This ensures that any personnel assigned to conduct or review the risk assessment are aware of how the methodology works, and can familiarize themselves with the process. As well as documenting the methodology and procedure, results of the risk assessment must be available as documented information.
As well as demonstrating to auditors and internal/external stakeholders that risk assessments have been conducted, this also enables the organisation to review, track and manage risks identified at any point in time. It is usual for risks of a certain criteria to be contained on a risk register, and reviewed as part of risk management meetings. If you are going for ISO 27001 certification, you should be documenting everything you have to provide subjective evidence to auditor.
4. Which risk assessment methodology for ISO 27001?
Under ISO 27001:2005, it was a requirement that risk assessment methodologies must use an asset-based approach. This means that the organisation must identify its assets and assess risks against these assets. For example, identifying the HR database as an asset and identifying risks to the HR database.
While it is no longer a specified requirement in the ISO 27001:2013 version of the standard, it is still recommended that an asset-based approach is taken as this supports other requirements such as asset management. Other approaches can be taken, however, and it shouldn’t affect ISO 27001 certification if the approach taken is not an asset-based methodology.
5. Align with other standards?
Other standards such as ISO 27005 Information Security Risk Management Standard can be used to align with best
practice. ISO 27005 provides guidelines for information security risk management and is considered good practice as the international standard.
While it is recommended to look at best practice, it is not a mandatory requirement so if your methodology does not align with standards such as these it is not a non-compliance.
Summary
To summarize, under ISO 27001:2013 there is not a mandatory risk assessment methodology that must be used. While it is recommended to conduct asset-based risk assessments and align with other best practice standards, it is down to the organisation to determine the methodology which suits them best. Whatever methodology is used, it must produce consistent, repeatable and comparable results.
Risk assessments must be conducted at defined intervals, by suitably competent personnel, and the outputs must be acted upon as part of a risk treatment plan. The most important thing to remember with risk assessment is that these are being conducted for the benefit of the business and not to satisfy an auditor.
If you keep in your mind that you want to identify risks to the business and treat these, then any methodology (providing it is defined, consistent and repeatable) should be sufficient. As you know your business better than anybody, the outputs of the first risk assessment should prove as a useful yard stick as to whether the methodology is suitable or not, and whether it produces accurate results.