ISO27001 – Risk Assessment Requirements

Managing Risk: A Core Element of ISO 27001 Certification

For organisations seeking ISO 27001 certification, implementing a comprehensive risk management program is essential for obtaining the certification. ISO 27001 requires a formal risk assessment policy and procedure to be in place. This can be a bit intimidating when you haven’t done any formal risk management practices before. But remember that you are managing risk as a business owner or department head all the time. You may not see it that way but every time you deal with a situation you are managing risk. Think about staff sickness, it breakdowns, power failures, improving your security methods, that is all about managing risk to the business.

What does it mean to assess and manage risk in the context of an ISMS? Here’s an overview of how the process works:

Risk Assessment

A risk assessment examines an organisation’s information security threats and vulnerabilities. It evaluates the likelihood of various risk scenarios materialising, as well as their potential business impact. Common information security risk categories include:

– Data breaches: Unauthorised data access or disclosure
– Cyber-attacks: Hacking, malware, phishing, denial of service
– Insider threats: Intentional or accidental actions by employees
– Technology failures: Critical systems outages or data loss
– Non-compliance: Violations of legal/regulatory obligations

The project team will collaborate to systematically identify risks that can compromise confidentiality, integrity or availability of critical systems and data. We find that the scenario way of evaluating risk is easier to visualise and implement. 

Risk Treatment

Once key risks are identified and prioritised via assessment, ISO 27001 requires developing appropriate risk treatment plans. Common information security risk treatment options include:

– Risk avoidance: Eliminating high-severity risks outright by not undertaking them anymore effecting avoiding them.
– Risk mitigation: Implementing additional controls or safeguards to reduce the risk likelihood or impact.
– Risk transfer: Sharing or outsourcing the risk, the most common method is to insure against the risk (e.g. cyber insurance).
– Risk acceptance: Making an informed decision to accept the risk because the impact on the organisation would be minimal should the risk event occur.

The Risk Assessment should detail assigned risk owners, any additional actions to take, deadlines for implementation, and resource requirements for selected options.

Ongoing Monitoring

ISO 27001 requires that a risk assessment is undertaken on a regular basis, most of my clients review risk every 3 to 4 months and note new risks and reevaluate older ones. The results of the risk assessment are discussed at Management Reviews. Risk treatment plans are updated accordingly based on new assessment findings. Changes to business processes, security technologies, regulations or other dynamics may alter the risk landscape. Regular monitoring and review ensures that your risk assessment stays current.

With robust risk management processes aligned with ISO 27001 requirements, organisations can feel confident regarding information security capabilities when applying for certification. Ongoing risk monitoring also provides assurance that controls will adapt as conditions evolve over time post-certification.

If you want any help with your risk assessment, please contact us as we have some resources which may be useful for you.