B R A I N B I T S

, , , , ,

Five simple steps to Risk Management

A risk management process that meets the requirements of ISO/IEC27001:2022 should have at least these five steps:

  1. Establish a risk management framework

These are the rules governing how you intend to identify risks, to whom you will assign risk ownership, how the risks impact the confidentiality, integrity and availability of the information, and the method of calculating the estimated impact and likelihood of the risk occurring. A formal risk assessment methodology needs to address some issues first which should be approved by top management:

  • Security objectives
  • Asset inventory
  • Risk scale
  • Risk appetite
  • Qualitative, semi-quantitative or quantitative risk assessment.

2. Identify risks

Identifying the risks that can affect the confidentiality, integrity and availability of information is the most time-consuming part of the risk assessment process. IT Governance recommends following an asset-based risk assessment process. Developing a list of information assets is a good place to start. It will be easiest to work from an existing list of information assets that includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.

3. Analyse risks

Identify the threats and vulnerabilities that apply to each asset. For instance, the threat could be ‘theft of mobile device’, and the vulnerability could be ‘lack of formal policy for mobile devices’. Assign impact and likelihood values based on your risk criteria.

4. Evaluate risks

You need to weigh each risk against your predetermined levels of acceptable risk, and prioritize which risks need to be addressed in which order.

5. Select risk treatment options

There are four suggested ways to treat risks:

  1. ‘Avoid’ the risk by eliminating it entirely.
  2. ‘Mitiga’ the risk by applying security controls.
  3. ‘Transef’ the risk to a third party (through insurance or outsourced).
  4. ‘Accept’ the risk (if the risk falls within established risk acceptance criteria).

Compile risk reports

ISO 27001 requires the organization to produce a set of reports, based on the risk assessment, for audit and certification purposes. The following two reports are the most important:

  • Statement of Applicability (SoA)​ – All organizations seeking ISO/IEC27001 certification must produce a list of all controls from Annex A of the Standard, together with a statement justifying either the inclusion or exclusion of each control.
  • Risk treatment plan (RTP) – On the basis of your risk assessment, your risk treatment plan describes how your organization intends to address the risks identified.

Review, monitor and audit

Continual improvement is a requirement of ISO 27001, which means that organizations need to continually review, update and improve the ISMS (information security management system) to ensure its optimal functioning and efficacy protecting your information assets from external and internal threats.

Internal audit provides one method of continual review. An internal audit produces a set of reports to demonstrate that risks are being appropriately treated.

Risk assessments are conducted across the whole organization. They cover all the possible risks to which information could be exposed, balanced against the likelihood of those risks materializing and their potential impact. Once the risk assessment has been conducted, the company needs to decide how it will manage and mitigate those risks, based on allocated resources and budget.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.