fbpx

Risk Assessment is the process where you identify danger or threat vectors, that would harm your activity. Business Risk Assessment can be broken into smaller components to understand on which aspect of business they would impact. This also helps us find ways to control them.

ISO 27001 is an international standard that deals with information security management and the risk it would create to the business. It helps in a structured manner to understand the risk to financial information, intellectual property and even information that is relayed to and by third parties.

ISO 27001 requirements are not very difficult – here is what clause 6.1.2 requires, and some commonly adopted approaches:

RequirementCommon approaches
1) Define how to identify the risks that could cause the loss of confidentiality, integrity, and/or availability of your information.You can identify risks based on assets, threats, and vulnerabilities, based on your processes, based on your departments, using only threats and not vulnerabilities, or any other methodology you like.
2) Define how to identify the risk owners.You should choose a person who is both interested in resolving a risk and positioned highly enough in the organization to do something about it.
3) Define criteria for assessing consequences and assessing the likelihood of the risk.You should assess separately the consequences and likelihood for each of your risks, but you are completely free to use whichever scales you like.
4) Define how the risk will be calculated.This is usually done through addition (e.g., 2 + 5 = 7) or through multiplication (e.g., 2 x 5 = 10). If you use a scale of Low-Medium- High, this would be the same as using a scale of 1-2-3, so you still have numbers for calculation.
5) Define the criteria for accepting risks.If your method of risk calculation produces values from 2 to 10, then you can decide that an acceptable level of risk is, e.g., 7 – this would mean that only the risks valued at 8, 9, and 10 would need treatment. Alternatively, you can examine each individual risk and decide which should be treated or not based on your own insight and experience, using no pre-defined values.

Risk assessment: How to match assets, threats, and vulnerabilities.

Risk identification is the first half of the risk assessment process, and to make your risk assessment easier, you can use a sheet listing assets, threats, and vulnerabilities in columns; you should also include additional information like risk ID, risk owners, impact and likelihood, etc.

Here are some examples of what this matching of the three components could look like:

Asset: Paper document

  • Threat: fire; vulnerability: document is not stored in a fire-proof cabinet (risk related to the loss of availability of the information)
  • Threat: fire; vulnerability: there is no backup of the document (potential loss of availability)
  • Threat: unauthorised access; vulnerability: document is not locked in a cabinet (potential loss of confidentiality)

Asset: Digital document

  • Threat: disk failure; vulnerability: there is no backup of the document (potential loss of availability)
  • Threat: virus; vulnerability: anti-virus program is not properly updated (potential loss of confidentiality, integrity, and availability)
  • Threat: unauthorised access; vulnerability: access control scheme is not properly defined (potential loss of confidentiality, integrity, and availability)
  • Threat: unauthorised access; vulnerability: access was given to too many people (potential loss of confidentiality, integrity, and availability)

Asset: System administrator

  • Threat: unavailability of this person; vulnerability: there is no replacement for this position (potential loss of availability)
  • Threat: frequent errors; vulnerability: lack of training (potential loss of integrity and availability) etc.

Some people prefer using tools for this kind of work, and I agree this could be a good move for larger companies; but, for smaller ones, using a tool would only take too much time.

How to assess consequences and likelihood in risk analysis.

In simple risk assessment, you assess the consequences and the likelihood directly – once you identify the risks, you simply have to use scales to assess separately the consequences and the likelihood of each risk. For example, you can use the scale of 0 to 4, where 0 would be very low, 1 low, 2 medium, and so on, or the scale 1 to 10, or Low-Medium-High, or any other scale. The larger the scale, the more precise the results you will have, but also the more time you will spend performing the assessment.

So, for example, in simple risk assessment you might have something like this:

  • Asset: laptop
  • Threat: theft
  • Vulnerability: employees do not know how to protect their mobile devices
  • Consequences: 3 (on a scale from 0 to 4)
  • Likelihood: 4 (on a scale from 0 to 4)

In detailed risk assessment, instead of assessing two elements (consequences and likelihood), you assess three elements: asset value, threat, and vulnerability. So, here’s an example of this detailed risk assessment:

  • Asset: laptop
  • Threat: theft
  • Vulnerability: employees do not know how to protect their mobile devices
  • Asset value: 3 (on a scale from 0 to 4)
  • Threat value: 2 (on a scale from 0 to 2)
  • Vulnerability value: 2 (on a scale from 0 to 2)

Again, calculating risk is actually very simple – this is usually done through addition (e.g., 2 + 5 = 7) or through multiplication (e.g., 2 x 5 = 10). If you use a Low-Medium-High scale, then this is the same as using 0-1-2, so you still have numbers for calculation.

So, using the above examples, here is how to calculate the risk using addition:

  • Simple risk assessment: Consequences (3) + Likelihood (4) = Risk (7)
  • Detailed risk assessment: Asset value (3) + Threat value (2) + Vulnerability value (2) = Risk (7)

In the detailed risk assessment, you’ll notice that I used the scale 0 to 4 for assessing the asset value, and smaller scales of 0 to 2 for assessing threats and vulnerabilities. This is because the weight of the consequence should be the same as the weight of the likelihood – because threats and vulnerabilities jointly “represent” the likelihood, their maximum added value is 4, the same as for the consequence value.

Implementing information security risk treatment

During the risk treatment the organisation should focus on those risks that are not acceptable; otherwise, it would be difficult to define priorities and to finance the mitigation of all the identified risks.

Usually, risk treatment options are to:

  1. Decrease the risk – this option is the most common, and it includes implementation of safeguards (controls) – like fire-suppression systems, etc. For that purpose, the controls from ISO 27001 Annex A are used (and any other controls that a company thinks are appropriate).
  2. Avoid the risk – stop performing certain tasks or processes if they incur such risks that are simply too big to mitigate with any other options – e.g., you can decide to ban the usage of laptops outside of the company premises if the risk of unauthorized access to those laptops is too high (because, e.g., such hacks could halt the complete IT infrastructure you are using).
  3. Share the risk – this means you transfer the risk to another party – e.g., you buy an insurance policy for your building against fire, thereby transferring part of your financial risk to an insurance company. Unfortunately, this option does not have any influence on the incident itself, so the best strategy is to use this option together with options 1) and/or 2).
  4. Retain the risk – this is the least desirable option, and it means your organization accepts the risk without doing anything about it. This option should be used only if the mitigation cost would be higher than the damage an incident would incur.

The importance of the Statement of Applicability

The Statement of Applicability is the main link between the risk assessment & treatment and the implementation of your information security. In it, you will need to:

  • Identify the controls that are necessary for reasons other than any identified risks (e.g., because of legal or contractual requirements, because of other processes, etc.).
  • Justify the inclusion and exclusion of controls from Annex A, as well as the inclusion of controls from other sources.
  • Record a summarised form of applicable controls (114 from Annex A, plus any additional ones), to present it to management and to keep it up to date.
  • Document whether each applicable control is already implemented or not. Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g., either by making a reference to a document (policy/procedure/working instruction, etc.), or by briefly describing the procedure in use or equipment that is used.

The Risk Treatment Plan

To start thinking about the Risk Treatment Plan, it would be easier to think of it as an “Action Plan” in which you need to specify which security controls you need to implement, who is responsible for them, what the deadlines will be, and which resources (i.e., financial and human) are required.

As an output of the risk treatment process, the Risk Treatment Plan must be written after the Statement of Applicability, because this document defines the controls that need to be implemented, given a comprehensive picture of information security, considering not only the result of risk treatment, but also legal, regulatory, and contractual requirements, other business needs, etc.

To Conclude

The Risk Treatment Plan is the point where theory stops, and real life begins according to ISO 27001. A good risk assessment and risk treatment process, as well as a comprehensive Statement of Applicability, will produce a very usable action plan for your information security implementation.