What is the risk assessment in ISO 27001?


Risk assessment is most likely the toughest part of the ISO 27001 implementation, but at the same time, it is the most important step for the creation of your information security project as it sets the foundation for the company’s safe future. Risk assessment or analysis is the first step of risk management and is followed by risk treatment. Risk assessment aims to identify information security risks and determine the likelihood as well as their impact. In simpler words, risk assessments help the organisation recognise all potential problems that are present in their current information management system and categorise their frequency as well as consequences. Additionally, the goal of risk treatment is to find out which security controls are needed to avoid those potential incidents. These safeguards or controls can be selected from ISO 27001, Annex A, which specifies 114 controls. This article outlines the main steps in the ISO 27001 risk assessment and treatment plan.

Main steps of ISO 27001 risk assessment example

Even though risk management in ISO 27001 is a complex job, it is often unnecessarily complicated and mystifying. That’s the main reason why ISO 27001 cost is worth what it takes. The following steps will shed a light on what you need to do:

What is the risk assessment in ISO 27001 and its methodology

The first step in your risk management journey is to understand the risk assessment methodology. Because you want homogeneity across your organisation, you must begin by defining the rules of how you are going to perform risk management. Inconsistencies can arise if different parts of your organisation perform the risk assessment in different ways. Therefore, it is necessary to define if you wish to conduct a qualitative or a quantitative risk assessment, which skills will be utilised for a qualitative assessment and what is the level of acceptable risk. 

 iso 27001 risk assessment methodology example

ISO 14001 certification is one of the important international certifications for organisations. If you want to develop your company, you can read about it in the relevant link.

Risk assessment implementation

Once the rules have been defined, you can begin identifying which potential problems can happen to your organisation. For the identification of potential problems, you need to create a list of all your assets, going on to list the threats and vulnerabilities related to those identified assets. In addition, you need to assess the impact and likelihood of each combination of assets, threats and vulnerabilities. Analysing different combinations will help you calculate the level of risk.

Risk treatment implementation

Before you begin implementing the risk treatment, it is necessary to prioritise and focus on the important dangers that are called “unacceptable risks.” When choosing a treatment plan, ISO 27001 certification Australia provides four options for handling or mitigating each risk possibility. These include risk enhancement, risk exploitation, risk sharing and risk acceptance. Risk enhancement focuses on taking measures to increase the probability of a risk. This is done for the ultimate good of the organisation. A great example is to take the opportunity to increase productivity by implementing remote access through sharing the existing resources. Here, sharing existing processes is considered a risk but its enhancement ultimately leads to increased productivity. Similarly, risk exploitation focuses on taking every possible action to ensure that the risk will happen. This is usually done to test the effectiveness of different incident response procedures. Moreover, risk sharing takes place when an organisation realises that, by itself, it cannot harness the benefits of an opportunity. Hence, the organisation splits the costs and efforts that can help them take advantage of a specific risk/opportunity with another party. Lastly, risk acceptance takes place when an organisation consciously decides to not invest energy, resources or time in mitigating a specific risk.

ISO 27001 risk assessment report

Unlike the previous steps, this step is quite monotonous. Organisations need to document all the steps that they have covered so far. This is helpful for auditors who check the results in the following years during the re-certification process. 

iso 27001 risk assessment example

Beside the ISMS certification, we have another ISO as known as Quality Management System (QMS). If you don’t know about ISO 9001 meaning, You need to read about it in the related link and get sufficient information.

Statement of applicability; ISO 27001 risk examples

The statement of applicability showcases the security profile of your company. It is based on the results of the risk treatment conducted following ISO 27001. Here, you need to list all the controls that you have implemented, why you have chosen these controls and what procedures you choose for implementation. This document is essential because the certification auditor will use it as a main guideline for the certification audit.

iso 27001 risk management framework

Risk treatment plan

This step includes the real-world application of the risk treatment plan. Up until this point, risk management was purely theoretical, however, from this step onwards, it is time to show concrete results. During this step, it is time to define exactly who is going to implement each control, in which timeframe, and with what budget and resources. This is the reason why this document is often called an “action plan” or “an implementation plan.” 

iso 27001 risk assessment report

In this article we explained what is the risk assessment in ISO 27001. Now you have to know that ISO 27001 requires organisations to document the entire process of risk assessment as per clause 6.1.2 and this is usually done in the document called the risk assessment methodology. This clause is extremely helpful for companies as it clarifies many myths regarding risk assessment. Essentially, it asks organisations to define how to identify the risk that could cause the loss of confidentiality, integrity and/or availability of your information going on to define how to identify the risk owners. This is followed by defining the criteria for assessing the consequences and the likelihood of risk, calculation for risk levels and criteria for accepting risks.

Users Comments

Get a Quote