In every company, no matter how fine-tuned the elements of information security management are, there are threats, vulnerabilities and potential risks, so to be competitive and achieve business objectives, organizations must do everything possible to identify, assess and handle all of them, or at least the most relevant ones. This is called risk management, which can range from subconscious decisions to fully informed decisions based on sophisticated methodologies and data processing mechanisms applicable to a wide range of risk areas, including information security risks. Risk management is complex work, but it is often unnecessarily complicated, and many organizations make the process even more complex by taking unnecessary or extremely complex actions.
But we want to explain the ISO 27001 risk management process to you simply and succinctly:
- Risk assessment methodology: you need to create rules on how to do the risk assessment so that the whole organization does it the same way.
- Implementation of the risk assessment: once the rules are in place, you can begin to identify potential problems that may arise and determine which ones are unacceptable and should be handled. That is, perform a search, analysis, and assessment of potential risks.
- Implementation: it is necessary to consider how to reduce risks with minimal investment.
- Risk assessment report ISMS: you need to document all work done on the risks, not only for ISO 27001 standard certification, but also for the future of your business, because you can also use these results in the future.
- Applicability statement: summarizes the results of the risk treatment and will be used by the certification auditor as a reference document.
- Risk management plan: here you have to determine who will implement each element of management, within what time frame, within what budget, etc. It is important to approve the risk management plan with the management, because the implementation of all the planned elements of management will take considerable time, effort, and incur financial costs. And without the directorate’s input, you won’t have any of those resources.
Next, we’ll go into more detail on how to implement each step, given the most common approaches used by companies around the world.
|1. Determine how to detect risks that could lead to loss of confidentiality, integrity and/or availability of your information.||Identify risks based on assets, threats and vulnerabilities, based on your processes, departments, using only threats and not vulnerabilities, or any other methodology you like.|
|2. Determine how to select those responsible for risk.||Select a person who is both interested in eliminating risk and holds a high enough position in the organization to organize it.|
|3. Determine the criteria for assessing the consequences and assessing the probability of the risk occurring.||Evaluate separately the consequences and probabilities for each of your risks. In doing so, you can use any scale you like.|
|4. Determine how the risk will be calculated.||Using a low-medium-high scale would be the same as using a 0-1-2 scale, so you will always have numbers to calculate.|
|5. Determine the criteria for processing risks||If the risk calculation method gives values from 1 to 10, you can decide that an acceptable level of risk, such as 7, would mean that only risks rated at 8, 9, and 10 would need to be treated. Alternatively, you can examine each individual risk and decide which should be considered and which should not, based on your own understanding and experience, without using scales.|
Risk assessment or how to map assets, threats and vulnerabilities
The current version of ISO 27001 allows you to identify risks using whatever methodology you like.
Risk identification is the first half of the risk assessment process, and to make it easier, you can use a worksheet with a list of assets, threats, and vulnerabilities in columns. You should also include additional information such as risk identifier, risk responsible, impact, probability, etc. We recommend listing items column by column rather than row by row so that you list all your assets first, then start looking for threats for each asset, and only after that the vulnerabilities for each threat.
How to estimate consequences and probability in risk analysis
The second half of risk assessment is to calculate how great the risk is-this is accomplished by estimating the consequences (also called exposure) that would occur if the risk were to materialize and estimating how likely the risk is to occur. With this information, you can easily calculate the level of risk.
There are two basic approaches to estimating probability and impact: qualitative and quantitative. A qualitative risk assessment focuses on stakeholders’ perceptions of the likelihood of risk occurring and the impact on relevant organizational aspects (e.g., financial, reputational, etc.). This perception is represented in scales such as “low – medium – high” or “0-1-2”, which are used to determine the final risk value. Quantitative risk assessment, on the other hand, focuses on actual and measurable data as well as highly mathematical and computational bases for calculating probability and impact values, usually expressing risk values in monetary terms.
If your company needs a quick and easy risk assessment, you can go the qualitative route (99% of companies do this). However, if you need a really big investment to address safety issues, it may make sense to invest time and money in a quantitative risk assessment. One way to justify the required security investment is to determine the cost of an incident, as well as the potential return that this investment can bring to the organization.
A qualitative risk assessment, in turn, involves two ways of analyzing risk: a simple risk assessment and a detailed risk assessment. In a simple risk assessment, you assess consequences and probabilities: in identifying risks, you use scales to estimate separately the consequences and probabilities of each risk (for example, from 1 to 10). The larger the scale, the more accurate the results, but also the more time you spend doing the assessment.
An example of a simple risk assessment:
- Asset: Laptop
- Threat: Data loss
- Vulnerability: Employees do not know how to protect their mobile devices
- Consequence: 3 (on a scale of 0 to 5)
- Probability: 3 (on a scale of 0 to 5)
In a detailed risk assessment, instead of assessing two elements (consequences and probability), you assess three elements: asset value, threat, and vulnerability. For example:
- Asset: laptop.
- Threat: loss of data
- Vulnerability: employees don’t know how to protect their mobile devices
- Asset value: 2 (on a scale of 0 to 4)
- Threat value: 2 (on a scale of 0 to 3)
- Vulnerability value: 2 (on a scale of 0 to 3)
The risk calculation is done by adding or multiplying. If you use a low-medium-high scale, this is the same as using 0-1-2, so you still have numbers to calculate.
Calculating risk using addition:
Simple risk assessment: consequences (3) + probability 3) = risk (6)
Detailed risk assessment: asset value (2) + Threat value (2) + Vulnerability value (2) = risk (6)
The detailed risk assessment uses a scale of 0 to 4 for asset value and smaller scales of 0 to 2 for threats and vulnerabilities. This is because the consequence weight must be the same as the probability weight, because threats and vulnerabilities together “represent” probability, their maximum added value is 4, the same as for the consequence value.
Once you have calculated the risks, you must assess whether they are acceptable or not, and then move on to the next step, risk processing.
Implementation of information security risk handling
The goal of risk treatment is to control the hazards identified during the risk assessment. In most cases, this will mean reducing risk by reducing the likelihood of an incident (e.g., laminating documentation/using sealed packaging) and/or reducing exposure to assets (e.g., sealed doors). When considering risks, the organization should focus on those that are not acceptable. Otherwise, it will be difficult to prioritize and fund mitigation of all identified risks.
Risk treatment options:
Risk mitigation – is the most common and includes implementing safeguards (controls), such as leak and flood protection systems. Controls from ISO/IEC 27001 Annex A and any other controls the company considers appropriate are used for this purpose.
Risk avoidance – stopping certain tasks or processes if they pose risks that are simply too great to be mitigated by any other options. For example, you might prohibit the use of laptops outside of company premises if the risk of unauthorized access to those laptops is too great, or implement cryptocurrencies for those devices.
Risk transfer means that you transfer the risk to another party. For example, you buy an insurance policy for your building, thereby transferring some of your financial risk to the insurance company. Unfortunately, this option has no effect on the incident itself, so the best strategy is to use this option along with options 1 and/or 2.
Retaining the risk is the least desirable option, meaning that your organization accepts the risk and does nothing about it. This option should only be used if the cost of mitigation is greater than the damage the incident will cause.
When you choose the risk mitigation option, you must implement one of three types of management:
- Define new rules – rules are documented through plans, policies, procedures, instructions, etc.
- Implement new technology – for example: backup systems, disaster recovery locations for alternate data centers.
- Changing the organizational structure – for example: introducing a new job function or changing the responsibilities of existing personnel.
To increase the chances of selecting the most efficient processing and control options, you should consider involving specialists in related fields (e.g., IT staff for IT -control; HR specialists, if the processing involves training, etc.). And such decisions will require the involvement of the appropriate level of management. If you have doubts about who can decide this, consult with the project initiator on the management side.
Once treatment methods have been selected, you should assess the residual risk for each unacceptable risk identified earlier in the risk assessment.
For example, if you identified a Level 4 consequence and a Level 4 probability during the risk assessment (which would mean risk 8 by the addition method), your residual risk could become 5 if you estimated that the consequence would decrease to 3 and the probability to 2 because of the safeguards you planned to implement.
Once the risk treatment is complete, you can summarize the data in a risk assessment and treatment report to give a detailed overview of the process and meet the requirements of the standard to retain information about the risk assessment and treatment process.
The importance of the applicability statement
The applicability statement is the main link between the assessment, risk handling, and implementation of your information security.
It is necessary to:
Identify the controls that are required for reasons other than any identified risks (e.g., because of legal or contractual requirements).
- Justify the inclusion and exclusion of controls from Appendix A and other sources.
- Create a summary form of applicable controls (114 from Appendix A and any additional measures) to present to management and keep it up to date.
- Document whether each applicable control has already been implemented. A good option (and most auditors will require it) is to describe how each applicable control is implemented (e.g., by reference to a document or a brief description of the procedure or equipment used).
A comprehensive view contained in the applicability statement (what needs to be done on information security, why it needs to be done, and how it is done) has advantages:
It forces organizations to systematically plan for their security by optimizing cost decisions (e.g., purchasing new equipment or changing procedures, or hiring a new employee).
- A well-written applicability statement can reduce the number of other documents. For example, if you want to document a particular control, but the procedure description for that control is quite short, you can describe it in the applicability statement.
- This provides guidance for auditors to understand the organization’s approach to security and to verify that you have implemented your controls as planned. It is a central document when conducting an internal ISO audit.
Risk management plan
The risk management plan is an “action plan” in which you need to specify which security measures you need to implement, who is responsible for them, what the timeline will be, and what resources (financial and human) will be required. As a result of the risk handling process, the risk management plan should be written after the statement of applicability, because this document defines the controls that must be implemented, taking into account the comprehensive picture of information security and not only the results of risk handling, but also legal, regulatory and contractual requirements.
The risk mitigation plan is the point where theory ends and practice begins in accordance with ISO 27001. A good risk assessment and treatment, as well as a good applicability statement, will give a very useful action plan for implementing your information security.
Key benefits of risk management:
- From a strategic approach to risk management: creating and allocating resources in the right way and at the right time, taking into account not only the needs of the company, but also the needs of customers and other stakeholders.
- Clarity of roles: top management, technical staff, end-users, experts – all people involved in information security must have certain roles (e.g., making decisions, determining risks, following procedures, etc.). This is one of the most cost-effective ways to reduce information security risks, because everyone will know what is expected of them.
Actions appropriate to perceived threats: the same risk scenario can lead to different approaches by different companies, depending on their needs and expectations, so it is not wise to simply copy someone else’s approach. Companies must consider and define their own limits so that their risk actions are aligned with their goals.
Risk is “the effect of uncertainty on objectives,” so if you manage uncertainty in some way, you can effectively reduce the risk to your business. In terms of ISO 27001, this means that information can be effectively protected and used to help the business achieve its goals. By systematically identifying, analyzing, evaluating and reviewing a complete list of relevant risks, you can prevent undesirable situations and minimize negative consequences. By identifying and performing risk management, you effectively learn about potential problems before they actually occur.
Our experts have extensive experience identifying risks across many business sectors.
Give us a call and we’ll find the right optimization option for you!