Parameters for Effective ISO 27001 Risk Assessment
Organizations of all types and sizes collect, store, process and transit information that is valuable to them and to their clients. Safekeeping that information is vital to protect against threats both deliberate and accidental. The adoption of ISO/IEC 27001 helps organizations keep this information secure.
ISO/IEC 27001 is an international standard for Information Security Management which details the requirements for the adoption of a risk management system and process for reviewing and confirming security controls in an organization. The standard helps organizations ensure their processes in place are in line with regulatory, legal, and contractual obligations and are working towards the end goal of security. Risk Assessment is an integral part of the ISO/IEC 27001 Standard as it helps organizations determine, analyze, and evaluate vulnerabilities in their Information Security Processes. In this article ISOUpdate and Narendra Sahoo cover the significance of Risk Assessment and steps to an effective ISO/IEC 27001 Risk Assessment.
Why is Risk Assessment Important for your Organization?
Risk Assessment relating to information security is imperative for organizations to understand various threats and risks to their critical data and what or who their infrastructure is or could be exposed to. It is an essential step to consider when developing an information security management system as it forms a strong foundation for the organization’s security program. The process of Risk Assessment helps identify threats and further helps mitigate the various risk of incidents that could affect the operations of an organization. The process of conducting regular risk assessments helps direct an organization’s focus towards the most critical and highly risk-prone areas of the organization’s infrastructure and determining where weaknesses lie. Below are steps to effective ISO/IEC 27001 Risk Assessment to help your organization.
Risk Assessment Framework
ISO/IEC 27001 Standard (Clause 6.1.2) asks organizations to define and apply a Risk Assessment process that is objective, identifies the information security risks and their owners, analyses and evaluates the risks and provides consistent and comparable results. Organizations shall adopt an approach that addresses the core security requirements in terms of regulatory and contractual requirements. Organizations must tailor their approach based on the following parameters to establish a strong Risk Assessment framework.
The risk parameters include:
- Risk scale which is based on the likelihood of an incident occurring (frequency of occurrence) and the level of impact (financial loss, reputational damage, operational disruption) that the incident may have on the organization.
- Risk appetite which determines the acceptable level of risk to which the organization can withstand.
- Scenario-based risk which determines the possible events that might affect the security of assets.
- An asset-based (or process based) risk assessment that determines critical assets (records of personal data, financial data, and medical data) that may be exposed to various risks.
As defined in Clause 6.1.1, when planning your information security management system, risks and opportunities relating to the management system should be addressed to ensure its intended outcomes can be achieved. Risks and opportunities should also be addressed to allow the system to prevent or reduce undesired effects and allow for continual improvement.
As an organization, you must have a process in place to consistently address your plans and actions to identify, assess and treat these risks and opportunities, and how as an organization you will integrate and implement them into your information security management system and its processes as well as the process owners who will champion these tasks. As said by ISMS “Quite simply this means documenting the process for risk identification, assessment and treatment, then showing that is working in practice with management of each risk” – source
Identifying Risks
Identifying risk is the most critical part of Risk Assessment. Identifying risk typically involves determining critical assets that require protection, a possible threat that may impact business operations, and the vulnerability in the business process or asset management or security controls that may result in an incident that impacts the organization.
Asset-Based vs Risk-Based Approach to Risk Assessment
Risk-based approach is a systematic method that identifies, evaluates, and prioritizes threats facing the organization. It is a customizable method that enables the business to tailor their cybersecurity program to specific organizational needs and operational vulnerabilities. By utilizing a risk-based approach to risk assessment organizations use risk to balance the operational performance of the assets against the asset life-cycle cost.
Asset-based approach asks organizations to conduct a risk assessment to determine where your weaknesses are, how likely it is that those weaknesses will be exploited and the impact each one will cause.
The Risk Assessor needs to identify potential risks that may compromise the confidentiality, integrity, or availability of assets and analyse the impact of the organization. Your organization should determine which approach works best for your organization, and what resources you need to ensure its success. This process of risk assessment should be continual and consistent within your organization.
Source: Conducting an asset-based risk assessment in ISO 27001 by Vigilant
Analysing Risks
Risk analysis involves understanding and determining the way an incident may occur and affect your business. This involves identifying possible ways in which identified vulnerabilities found from your asset-based on risk-based approach process can be exploited internally or externally. The analysis must also include an assessment of the likelihood of the incident occurring and the level of impact that it would have on business.
Risks should also be analysed based on whether the organization has in place baseline security controls for effectively addressing the identified risks.
Organizations shall identify controls in place to strengthen the security measures. This should further include evaluating the current controls to determine whether they work appropriately or should be replaced, modified, or supported by additional controls.
Evaluating Risks
The identified and analysed risk(s) must now be evaluated and rated based on their severity. This evaluation should include rating the risk level on a scale of low, medium to high or your internal scale that makes sense for your organization. Risk grading is subjective by nature and should be standardized or based on a set criteria for consistency across your management system.
Evaluating the risk also helps identify whether or not the risk falls within “acceptable levels” of risk. Based on the risk rating, the organization must identify the highest rated risks and, prioritize their resources accordingly to address risks based on their level of severity. With this, the organization must also evaluate the impact of risk on internal and external business and its impact.
Risk Management & Treatment Options
Once the identified, analysed, & evaluated risks are classified, the organization should make an informed research-based decision to mitigate the risk. Generally, the response to addressing the identified risks is classified into four categories. This includes:
- Modification which involves implementing security controls.
- Retention of risks which means accepting that the risk falls within the acceptable levels.
- Avoiding the risk by altering the circumstances causing the eventuality of risk.
- Share risk with an insurance firm or with a third party who is equipped to manage the risk
The organization needs to identify current controls that are in place and controls that should be established to mitigate and/or reduce risk.
Reviewing and Monitoring
An organization must consistently review, update and improve the information security management system (ISMS) to ensure that the controls added or in place are effective, appropriately established, and working as intended. The Risk Assessment process must be repeated consistently to ensure your organization has accounted for all the changes and the constantly evolving threat landscape. This process of identifying, analysing, evaluating and monitoring should be seen as an opportunity to continually improve the ISMS and implement control that can address the evolving risks.
Final Thought
Risk Assessment is an ongoing process and should be conducted on an ongoing and consistent basis to ensure your organization is mitigating, eliminating and controlling risks to internal and external threats to your information security. Re-evaluating the security controls and risks regularly can help businesses devote resources accordingly and address the potential threats periodically. Further, Risk Assessment helps businesses make an informed decision for establishing strong security measures and progressive outcomes for the business.
Author Bio
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA
InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
ISO Terms Explained
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.