ISO 27001 Risk Assessment: The Ultimate Guide

Rollback to version 1

0:05 - 0:08

[Music]
0:08 - 0:11

what is information security risk
0:11 - 0:13

information security risk is simply a
0:13 - 0:15

combination of the impact that could
0:15 - 0:17

result from a threat compromising one of
0:17 - 0:20

your important information assets and
0:20 - 0:22

the likelihood of this happening
0:22 - 0:26

risk management in iso 27001
0:26 - 0:29

iso 27001 requires that you implement a
0:29 - 0:31

management system to help you manage the
0:31 - 0:33

security of your important information
0:33 - 0:34

assets
0:34 - 0:36

the backbone of this is formed from the
0:36 - 0:38

need to develop and implement an
0:38 - 0:41

appropriate and effective information
0:41 - 0:45

security risk management methodology
0:45 - 0:48

iso 27001 risk management
0:48 - 0:50

you should develop and implement a risk
0:50 - 0:52

management methodology which allows you
0:52 - 0:54

to identify your important information
0:54 - 0:57

assets and to determine why they need
0:57 - 0:59

protecting
0:59 - 1:01

it is important to note here that when
1:01 - 1:03

information security is mentioned people
1:03 - 1:05

immediately start thinking about
1:05 - 1:07

confidentiality aspects but the
1:07 - 1:10

availability and integrity aspects also
1:10 - 1:13

need to be taken into consideration
1:13 - 1:15

as these are important components of
1:15 - 1:17

information security
1:17 - 1:19

once this has been achieved your
1:19 - 1:21

methodology needs to be able to identify
1:21 - 1:24

the likelihood of something going wrong
1:24 - 1:26

and what can be done to mitigate this
1:26 - 1:27

risk
1:27 - 1:30

in a nutshell it enables you to quantify
1:30 - 1:32

the impact and the likelihood elements
1:32 - 1:35

of information security risk and then go
1:35 - 1:38

on to do something about it
1:38 - 1:43

iso 27001 risk management framework
1:43 - 1:45

there are several discrete stages of an
1:45 - 1:49

iso 27001 risk management methodology
1:49 - 1:50

first of all it is important to
1:50 - 1:52

understand the information security
1:52 - 1:55

context of your organization
1:55 - 1:57

once this has been achieved you can
1:57 - 1:59

perform a risk assessment which includes
1:59 - 2:02

the need to identify your risks
2:02 - 2:05

analyze them and evaluate them
2:05 - 2:07

you then need to determine a suitable
2:07 - 2:08

treatment for the risks you have
2:08 - 2:11

assessed and then implement that
2:11 - 2:12

treatment
2:12 - 2:14

it is vitally important that you do not
2:14 - 2:17

see this as a one-off exercise
2:17 - 2:19

your risk management methodology should
2:19 - 2:21

be designed to be iterative
2:21 - 2:23

this enables you to not only review the
2:23 - 2:25

status of risks you have previously
2:25 - 2:28

identified taking into consideration any
2:28 - 2:31

potential changes in context but it also
2:31 - 2:34

enables you to identify new risks
2:34 - 2:36

the high level stages of a risk
2:36 - 2:38

management methodology as described
2:38 - 2:40

above should be thought of as a
2:40 - 2:43

framework that enables risk management
2:43 - 2:45

to be embedded within key processes
2:45 - 2:47

throughout your organization
2:47 - 2:49

so that any identified risks are
2:49 - 2:51

comparable
2:51 - 2:54

iso 27001 risk management context
2:54 - 2:56

the first stage of your risk management
2:56 - 2:59

methodology needs to identify what is
2:59 - 3:01

important to you or your organization
3:01 - 3:03

from an information security point of
3:03 - 3:04

view
3:04 - 3:07

iso 27001 requires you to determine the
3:07 - 3:09

context of your organization
3:09 - 3:11

part of which means that you need to be
3:11 - 3:13

able to identify the information
3:13 - 3:15

security related issues that you face
3:15 - 3:18

along with who the internal and external
3:18 - 3:20

interested parties are and what their
3:20 - 3:23

needs and expectations are
3:23 - 3:25

it is important to also understand what
3:25 - 3:27

your risk appetite is at this stage as
3:27 - 3:30

we will need this information later
3:30 - 3:32

once you have done this you are able to
3:32 - 3:34

determine what is important about the
3:34 - 3:36

different information assets under your
3:36 - 3:38

control
3:38 - 3:41

iso 27001 risk management what is risk
3:41 - 3:44

appetite
3:44 - 3:46

risk appetite is simply the amount and
3:46 - 3:48

type of risk you are willing to accept
3:48 - 3:50

or retain
3:50 - 3:52

in order to allow business operations to
3:52 - 3:53

proceed
3:53 - 3:55

this is important because too much
3:55 - 3:57

security can sometimes compromise your
3:57 - 4:01

operational viability whereas too little
4:01 - 4:02

will reduce the confidence of your
4:02 - 4:04

stakeholders
4:04 - 4:06

some types of organizations are willing
4:06 - 4:09

to accept more risk than others
4:09 - 4:11

for example a hedge fund manager is
4:11 - 4:13

likely to take more risk in order to
4:13 - 4:15

make greater profits over a short space
4:15 - 4:18

of time whereas a pension fund manager
4:18 - 4:21

generally prefers a less risky steady
4:21 - 4:23

growth approach
4:23 - 4:27

iso 27001 risk assessment methodology
4:27 - 4:29

risk identification
4:29 - 4:31

once you have determined the context you
4:31 - 4:33

can go ahead and conduct a risk
4:33 - 4:34

assessment
4:34 - 4:36

the first part of a risk assessment is
4:36 - 4:39

to identify the risks that you face
4:39 - 4:40

this can be broken down into three
4:40 - 4:43

elements the first element is to
4:43 - 4:45

identify your information assets an
4:45 - 4:47

information asset is any information
4:47 - 4:49

that has value to you
4:49 - 4:51

there are several different ways to
4:51 - 4:53

calculate the value of an asset but it
4:53 - 4:55

is important that you not only consider
4:55 - 4:57

the confidentiality needs of the
4:57 - 5:00

information but also the integrity and
5:00 - 5:02

availability requirements
5:02 - 5:04

the second element of risk
5:04 - 5:06

identification is threat analysis you
5:06 - 5:08

need to have a process which enables you
5:08 - 5:10

to identify all of the threats which are
5:10 - 5:12

applicable to the assets you have
5:12 - 5:14

identified
5:14 - 5:16

if a particular threat is applicable
5:16 - 5:18

then it is also a good idea to think
5:18 - 5:20

about how probable it is that the threat
5:20 - 5:22

will materialize
5:22 - 5:24

for example if you use windows based
5:24 - 5:25

computer systems which are connected
5:25 - 5:28

somehow to the internet the probability
5:28 - 5:30

of them being affected by a virus is
5:30 - 5:32

probably very high if you do nothing to
5:32 - 5:33

stop it
5:33 - 5:35

whereas if you are using an apple mac
5:35 - 5:38

which is never connected to the internet
5:38 - 5:40

the probability is very low
5:40 - 5:43

the third element of risk identification
5:43 - 5:44

is the need to determine if there are
5:44 - 5:46

any vulnerabilities that would allow a
5:46 - 5:48

threat that you have identified to cause
5:48 - 5:51

an impact on your asset
5:51 - 5:52

to carry on with the example we have
5:52 - 5:55

just used if you have an antivirus
5:55 - 5:58

system installed and running on your
5:58 - 6:00

internet connected windows computers you
6:00 - 6:02

are less vulnerable to this particular
6:02 - 6:05

threat than if you didn't
6:05 - 6:09

iso 27001 risk assessment methodology
6:09 - 6:11

risk analysis
6:11 - 6:13

one of the useful aspects of the output
6:13 - 6:15

from an effective risk assessment is the
6:15 - 6:19

ability to prioritize your risks this is
6:19 - 6:21

important as you may not have sufficient
6:21 - 6:23

resources to fully mitigate every risk
6:23 - 6:25

that you identify
6:25 - 6:26

this means that it is important to
6:26 - 6:29

somehow quantify your risks
6:29 - 6:32

to do this we need to know two things
6:32 - 6:34

first how much of an impact would be
6:34 - 6:36

felt if a compromise occurred and second
6:36 - 6:38

what is the likelihood of that threat
6:38 - 6:40

occurring
6:40 - 6:42

one good idea is to use a set of scales
6:42 - 6:45

to record values in these areas
6:45 - 6:48

for example using a scale of one to five
6:48 - 6:50

we could say how impactful it would be
6:50 - 6:52

if the confidentiality of an asset were
6:52 - 6:53

breached
6:53 - 6:55

clearly breaches of confidentiality
6:55 - 6:57

would cause a greater impact for some
6:57 - 7:00

assets for example hr records than
7:00 - 7:04

others like the staff canteen menu
7:04 - 7:06

a second one to five scale could be used
7:06 - 7:08

to determine the likelihood of a breach
7:08 - 7:10

occurring and we would take into
7:10 - 7:11

consideration the threat and
7:11 - 7:13

vulnerability information we spoke about
7:13 - 7:16

earlier in order to do this
7:16 - 7:20

iso 27001 risk assessment methodology
7:20 - 7:22

risk evaluation
7:22 - 7:24

risk evaluation is a relatively simple
7:24 - 7:27

process as it requires you to identify
7:27 - 7:28

whether or not the risk that you have
7:28 - 7:32

identified is above or below appetite
7:32 - 7:34

to do this the first thing we need to do
7:34 - 7:36

is calculate the value of the risk which
7:36 - 7:38

simply means multiplying the impact and
7:38 - 7:41

likelihood values together
7:41 - 7:43

we have a range of possible values which
7:43 - 7:45

result from multiplying the two one to
7:45 - 7:48

five scales together
7:48 - 7:50

the appetite is stated within the
7:50 - 7:52

methodology as a particular value on the
7:52 - 7:54

five by five matrix
7:54 - 7:56

if a particular risk is above this value
7:56 - 7:58

then it is above appetite which means
7:58 - 8:00

that it can then be flanked for
8:00 - 8:01

treatment
8:01 - 8:04

anything below appetite can be accepted
8:04 - 8:07

and monitored for change
8:07 - 8:12

iso 27001 risk treatment methodology
8:12 - 8:14

your risk management methodology needs
8:14 - 8:16

to include a methodology for determining
8:16 - 8:18

the most appropriate treatment for the
8:18 - 8:20

risks that you have identified
8:20 - 8:22

there are four possible treatments to
8:22 - 8:26

choose from these are accept reduce
8:26 - 8:26

transfer
8:26 - 8:28

and avoid
8:28 - 8:30

you may come across different terms used
8:30 - 8:32

for these such as tolerate treat
8:32 - 8:34

transfer and terminate this example is
8:34 - 8:37

known as the forties however they take
8:37 - 8:40

the same approach
8:40 - 8:44

iso 27001 risk treatment methodology
8:44 - 8:47

accept or tolerate
8:47 - 8:48

one of the four treatments provides you
8:48 - 8:51

with the ability to accept risk
8:51 - 8:53

we have already seen that this is
8:53 - 8:54

possible as it is likely that you will
8:54 - 8:56

simply accept risks that are below
8:56 - 8:58

appetite
8:58 - 9:00

however you can also make an informed
9:00 - 9:02

decision to accept risks in certain
9:02 - 9:04

circumstances such as where there is a
9:04 - 9:06

legal requirement preventing you from
9:06 - 9:08

taking the desired action or you have
9:08 - 9:11

insufficient resources to do so
9:11 - 9:13

these cases should be few and far
9:13 - 9:14

between though and should always be
9:14 - 9:17

approved by appropriate management and
9:17 - 9:20

regularly reviewed
9:20 - 9:23

iso 27001 risk treatment methodology
9:23 - 9:26

reduce or treat
9:26 - 9:28

the second treatment option is to reduce
9:28 - 9:29

or treat the risk
9:29 - 9:31

this is done through the implementation
9:31 - 9:33

of controls
9:33 - 9:36

iso 27001 provides you with a list of
9:36 - 9:39

114 best practice controls that can be
9:39 - 9:40

used to mitigate the risks that you have
9:40 - 9:42

identified
9:42 - 9:44

these can be used in combination in
9:44 - 9:46

order to increase their effectiveness
9:46 - 9:48

and of course you can also add controls
9:48 - 9:50

of your own that do not appear in iso
9:50 - 9:53

27001
9:53 - 9:57

iso 27001 risk treatment methodology
9:57 - 9:58

transfer
9:58 - 10:00

the third risk treatment option is to
10:00 - 10:02

transfer the risk
10:02 - 10:04

the transfer option involves the use of
10:04 - 10:06

third parties to help you mitigate your
10:06 - 10:07

risks
10:07 - 10:09

you could do this for example by
10:09 - 10:11

offloading some of the financial impact
10:11 - 10:13

of something going wrong by taking out
10:13 - 10:15

an insurance policy
10:15 - 10:17

another way of doing this is to
10:17 - 10:18

outsource the responsibility for
10:18 - 10:20

implementing and operating technical
10:20 - 10:23

controls to a third party such as an i.t
10:23 - 10:25

managed service provider
10:25 - 10:26

it is important to note here that
10:26 - 10:28

although responsibility for financial
10:28 - 10:31

impact or the management of operational
10:31 - 10:33

controls can be transferred to a third
10:33 - 10:36

party the accountability associated with
10:36 - 10:38

the risk cannot
10:38 - 10:40

in other words you will still be held
10:40 - 10:42

accountable by your stakeholders if
10:42 - 10:45

something goes wrong
10:45 - 10:49

iso 27001 risk treatment methodology
10:49 - 10:52

avoid or terminate
10:52 - 10:53

the fourth risk treatment option is to
10:53 - 10:55

simply avoid the risk
10:55 - 10:57

as we have discussed before there are
10:57 - 11:00

three component parts to risk the impact
11:00 - 11:02

felt by the organization following a
11:02 - 11:04

breach of confidentiality integrity or
11:04 - 11:07

availability for an information asset
11:07 - 11:10

a threat that could cause this impact
11:10 - 11:12

and a vulnerability that would allow it
11:12 - 11:13

to do so
11:13 - 11:16

it is possible to avoid risk completely
11:16 - 11:18

by eliminating one or more of these
11:18 - 11:20

three elements
11:20 - 11:22

however it is unlikely that we would be
11:22 - 11:24

able to completely remove all threats or
11:24 - 11:27

all vulnerabilities which leaves us only
11:27 - 11:29

with one viable option which is to
11:29 - 11:32

remove the impact
11:32 - 11:34

this is done by removing the asset or
11:34 - 11:36

stopping the processes that are
11:36 - 11:39

associated with the identified risk
11:39 - 11:40

for example to avoid the risks
11:40 - 11:42

associated with the taking of credit
11:42 - 11:44

card payments
11:44 - 11:46

remove that process and only deal in
11:46 - 11:47

cash
11:47 - 11:49

there are obvious issues associated with
11:49 - 11:52

taking this approach as it is unlikely
11:52 - 11:54

to be looked upon to favorably by your
11:54 - 11:57

stakeholders especially if the process
11:57 - 11:59

is revenue generating
11:59 - 12:01

this is the reason why this particular
12:01 - 12:03

risk treatment methodology is really
12:03 - 12:05

used
12:05 - 12:09

iso 27001 risk treatment methodology
12:09 - 12:12

controls the most common option chosen
12:12 - 12:15

to treat risks other than maybe accept
12:15 - 12:18

in more mature isms's is to reduce the
12:18 - 12:19

risk
12:19 - 12:22

this is done by implementing controls or
12:22 - 12:24

improving existing ones to address the
12:24 - 12:25

risk
12:25 - 12:27

there are three main operational types
12:27 - 12:29

of control administrative or
12:29 - 12:31

people-based controls
12:31 - 12:33

technical or logical controls and
12:33 - 12:36

physical or environmental controls
12:36 - 12:38

within these three operational types
12:38 - 12:40

there are several different tactical
12:40 - 12:43

uses of controls such as those that are
12:43 - 12:44

designed to prevent a threat from
12:44 - 12:46

materializing
12:46 - 12:48

those that are designed to deter people
12:48 - 12:51

from carrying out an undesired action
12:51 - 12:53

those that detect if a threat has
12:53 - 12:55

materialized or those that enable you to
12:55 - 12:57

recover from a situation after the
12:57 - 12:59

threat has been dealt with
12:59 - 13:01

and there are several others
13:01 - 13:03

operational types and tactical uses of
13:03 - 13:06

controls are not mutually exclusive and
13:06 - 13:09

can and should be used where possible in
13:09 - 13:11

combination to provide a greater depth
13:11 - 13:13

of security
13:13 - 13:17

iso 27001 risk management monitor and
13:17 - 13:18

review
13:18 - 13:20

it is important to ensure that any
13:20 - 13:22

actions you take to address the risks
13:22 - 13:24

you have identified are monitored and
13:24 - 13:26

reviewed to ensure that they have the
13:26 - 13:27

desired effect
13:27 - 13:30

part of the monitor and review process
13:30 - 13:32

should also include a review of context
13:32 - 13:33

before the risk assessment is
13:33 - 13:35

re-performed
13:35 - 13:37

this will allow you to identify and take
13:37 - 13:39

into consideration any changes that may
13:39 - 13:41

have happened either internally within
13:41 - 13:44

your organization or externally such as
13:44 - 13:46

changes in legislation or changes to the
13:46 - 13:49

threat environment thus you are able to
13:49 - 13:51

identify if risks that have previously
13:51 - 13:53

been identified are getting worse or
13:53 - 13:56

hopefully better and you will also be
13:56 - 13:59

able to identify any new risks
13:59 - 14:02

iso 27001 risk assessment frequency
14:02 - 14:04

risk management and therefore risk
14:04 - 14:07

assessment is an iterative process
14:07 - 14:09

and each iteration should take into
14:09 - 14:11

consideration lessons learned from the
14:11 - 14:13

previous iteration and should take into
14:13 - 14:16

consideration any internal or external
14:16 - 14:18

changes thus enabling continual
14:18 - 14:19

improvement
14:19 - 14:21

there is no hard and fast rule on the
14:21 - 14:24

frequency of risk assessment but urm
14:24 - 14:26

recommends that the frequency is no less
14:26 - 14:27

than annual
14:27 - 14:29

this does not necessarily mean that you
14:29 - 14:31

should set aside a certain amount of
14:31 - 14:33

time at a certain point in the year to
14:33 - 14:35

conduct a risk assessment although of
14:35 - 14:38

course you can do this if you wish
14:38 - 14:40

it just means that each time 12 months
14:40 - 14:42

has elapsed you should aim to have
14:42 - 14:44

completed the next iteration
14:44 - 14:47

so you could spread the workload over
14:47 - 14:49

the 12-month period by performing
14:49 - 14:51

smaller risk assessments on a subset of
14:51 - 14:54

areas at more frequent intervals if this
14:54 - 14:56

is more manageable
14:56 - 14:59

iso 27001 risk management
14:59 - 15:01

governance
15:01 - 15:03

throughout the risk management process
15:03 - 15:05

you need to ensure that you communicate
15:05 - 15:08

effectively with any interested parties
15:08 - 15:10

it may be useful to put together a racy
15:10 - 15:13

raci to help you with this as all the
15:13 - 15:15

way through the process different people
15:15 - 15:18

will need to be held responsible some
15:18 - 15:20

will need to be held accountable some
15:20 - 15:22

will need to be consulted in order to
15:22 - 15:23

identify all of the pertinent
15:23 - 15:26

information we need to perform an
15:26 - 15:28

effective risk assessment and some
15:28 - 15:30

people for example the management team
15:30 - 15:32

will need to be informed through
15:32 - 15:36

effective reporting of your risk status
15:36 - 15:39

iso 27001 risk management policy and
15:39 - 15:41

process
15:41 - 15:43

as with all key processes associated
15:43 - 15:46

with an effective isms it is a good idea
15:46 - 15:48

to implement a risk management policy
15:48 - 15:50

this enables you to set the risk
15:50 - 15:53

management and risk assessment criteria
15:53 - 15:55

appetite and roles and responsibilities
15:55 - 15:57

out within a document that everyone is
15:57 - 15:59

required to implement throughout the
15:59 - 16:01

business
16:01 - 16:02

this should of course be underpinned by
16:02 - 16:05

the risk management methodology and any
16:05 - 16:08

required documented processes to enable
16:08 - 16:09

risk management to be embedded
16:09 - 16:12

throughout the organization
16:12 - 16:15

so how can urm help
16:15 - 16:17

urm can offer a range of information
16:17 - 16:20

risk management consultancy and training
16:20 - 16:23

services most notably our accredited
16:23 - 16:25

five-day practitioner certificate in
16:25 - 16:27

information risk management training
16:27 - 16:28

course
16:28 - 16:30

in addition urm has also developed an
16:30 - 16:32

information risk management module a
16:32 - 16:36

brisker 27001 especially to meet the
16:36 - 16:38

risk assessment requirements of iso
16:38 - 16:40

27001
16:40 - 16:43

for more information email us or give us
16:43 - 16:46

a call

Title:: ISO 27001 Risk Assessment: The Ultimate Guide
Description:: more » « less
Video Language:: English
Duration:: 16:50

	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide

Show all

English subtitles

Revisions Compare revisions

Revision 9 Edited

OEVIDEOS
Revision 8 Edited

OEVIDEOS
Revision 7 Edited

OEVIDEOS
Revision 6 Edited

OEVIDEOS
Revision 5 Edited

OEVIDEOS
Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	9	OEVIDEOS
	8	OEVIDEOS
	7	OEVIDEOS
	6	OEVIDEOS
	5	OEVIDEOS
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

ISO 27001 Risk Assessment: The Ultimate Guide

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)