It is now considered good practice to perform risk assessments - or at very least to acknowledge that they should be done.
Unfortunately, far too often we see that businesses only conduct risk assessments in order to satisfy some sort of compliance requirement or other types of requirements (audit, contract, statute etc.). If you are lucky, you might have the resources to conduct them once per year.
Typically, you will conduct your risk assessment, speak with your organisation and then finally you submit a fancy report. And then your "project" is done. However, it would be wrong to consider the risk assessment as a project. Risk assessments should be a process. It is a process that involves feedback and continual adjustments.
The ISO27001 standard states that a risk assessment is the driving force behind the security work
» Our risk assessment is the basis of our information security and it permeates our entire ISMS
» We need to use our risk management plan in selecting the right security measures in our company
» Our risk assessment helps to ensure that management is on a firm footing and that the company's needs are identified
And how do we do that?
We must make an active choice to apply the risk assessment. We need to change our culture with regards to risk assessments.
Specifically, as a part of the risk assessment, we need to do the following:
- Establish our risk acceptance criteria - i.e., how much risk we are willing to accept before taking action
- Determine the criteria for when we want to assess risks, e.g., when we get new systems or changes to the infrastructure - in other words, it is a dynamic process and not just something we do once per year
- Evaluate our results - do our risks fall above or below our risk acceptance criteria?
- Manage our risks - once we find some risks that are beyond our risk acceptance, we need to do something about it!
Risk Treatment
Risk treatment, as it is called in ISO27001/5, is the part of the process that brings the risk assessment results into the rest of our ISMS.
When we treat identified risks that are beyond our risk acceptance criteria, we do the following:
- We define what we want to do with the risk
- Reduce the risk - more security measures, greater security, new rules
- Eliminate the risk - we shut down or replace the system or the process that generates the risk
- Share the risk - insurance policies covering the risks, outsourcing to a third party
- Accept the risk - it is too expensive to do anything about the risk, so management accepts it
- We prepare action plans for the risks that we have decided to address
- What needs to be done (see Section 1)?
- Who is responsible?
- When is the deadline?
- How high is the priority?
- We follow up on the action plans
- Have the responsible parties done their work?
- Where can we see the result?
- We monitor our risk
- Updating the risk assessment where we have implemented action plans
- Has the risk increased?
- Has the risk decreased?
- Can we continue to accept the risks we have accepted?
If we apply or comply with ISO27001, the risks we have identified, as well as the identified action plans, can be linked to our "Statement of Applicability". This ensures we have a common thread throughout our security measures and controls.
The risk treatment plans may also set out inter alia requirements on how we implement:
- Contingency plans
- Awareness
- Internal audit
- Metrics
- Handling of security incidents
- etc.
In conclusion, I would like to remind you that a risk assessment is not just something to do for the auditor; it is something you need to do for yourself. It is an extremely important and powerful tool for implementing information security - so use it!
Other resources
One of the governing elements in ISO 27001 is the requirement that information security be based on the actual risks to which the organisation is exposed. As a whole, this activity is known as risk management. Our 8-page guideline for risk assessment is based on the Risk Management standard, ISO 27005. Download it here.
