Guide to Risk Assessment When Your Organisation is ISO 27001 Certified

A core necessity after getting the ISO 27001 certification for your ISMS (Information Security Management System) is running a risk assessment regularly. Conducting a risk assessment is essential because it helps organisations to identify risks, analyse them, find out their causes, and implement controls to avoid or mitigate them. In other words, it helps in identifying better security measures and controls to incorporate in your ISMS to prevent all forms of risks. It is the key to continuous improvement for your ISMS which is a core principle for the ISO 27001 standard.

Risk assessments are not only necessary for maintaining ISO compliance, but there are several other reasons organisations to do it including:

• It helps in understanding specific situations or actions that can cause data to be compromised
• It helps to assess the consequences or extent of damage that can occur in each situation
• It helps to determine the frequency or likelihood of a situation to occur

However, how to get started with the process of risk assessment is a huge concern for organisations. Here are the key steps to consider.

Deciding a Proper Risk Assessment Methodology

The first element for risk assessment is identifying a particular methodology or framework to perform it. It should include appropriate measures to identify risks, report risks, and understand how they can be mitigated. Risk assessment methodology also should include determining who is going to take ownership of the risk, how it affects the confidentiality of information, and how much damage it causes to the integrity of the organisation. Determining all this is essential to find out the most effective measures to address the risks.

Identifying the Risks

With a proper methodology in hand, the next step is to assess your information systems and processes across the organisation to identify risks. Identifying every risk that can potentially affect the privacy and integrity of your organisation is important to also know your business’s core information security requirements. Maintaining a list of the risks identified is a good way to approach risk management. It can help to keep track of the risks that have been already treated, and which need to be treated. The list should also include details such as risk scale, magnitude of damages/consequences, or approach to treating them.

Analysis and Evaluation of Risks

Your organisation needs to understand the vulnerabilities of the risks to your organisation’s assets, operations, confidentiality, information availability, and reputation. For instance, if there is a security theft through mobile devices, the vulnerability can affect all levels of the organisation. It hence needs to be treated by revising the policy of mobile uses.

Evaluating each risk is also necessary to understand their significance and the depth of measures needed to respond to them. Utilising a risk assessment matrix or any such assessment tool is useful in understanding and knowing which risks should be prioritised and responded to first.

Getting Right Elimination Options

Selecting the right options to eliminate the risks is the last step to the proper risk assessment process. There are several common ways known that can help you to eliminate risks:

• Eliminate the risk completely by avoiding the situation that caused it
• Reduce the severity of the risk by applying effective security controls
• Share or outsource the risk with an external agency or third-party (giving ownership to control it)
• Retain the risk if it is less severe and falls under the criteria of risk acceptance

With a number of ways defined to take care of risks, the one to choose entirely depends on the type of risk and circumstances in which it occurred. The first way, eliminating the risk, is the most effective, but implementing any security control for that is quite expensive and time-consuming. That is why you might have to think of other ways to treat it.

Reducing or eliminating risks to your information security management and protecting your organisation’s confidentiality is the main reason to get an ISO 27001 certification. However, that needs a proper approach to risk assessment and these steps can surely help you to assess risks before implementing ways to prevent them.

Damon Anderson is the director of an ISO certification consultancy which advises businesses in different sectors to achieve a required ISO certification easily.