ISO 27001 Risk Assessment: The Ultimate Guide

Rollback to version 8

0:05 - 0:08

[Music]
0:08 - 0:11

What is information security risk?
0:11 - 0:13

Information security risk is simply a
0:13 - 0:15

combination of the impact that could
0:15 - 0:17

result from a threat compromising one of
0:17 - 0:20

your important information assets and
0:20 - 0:22

the likelihood of this happening.
0:22 - 0:26

Risk Management In ISO 27001
0:26 - 0:29

ISO 27001 requires that you implement a
0:29 - 0:31

management system to help you manage the
0:31 - 0:33

security of your important information
0:33 - 0:34

assets.
0:34 - 0:36

The backbone of this is formed from the
0:36 - 0:38

need to develop and implement an
0:38 - 0:41

appropriate and effective information
0:41 - 0:45

security risk management methodology.
0:45 - 0:48

ISO 27001 Risk Management
0:48 - 0:50

You should develop and implement a risk
0:50 - 0:52

management methodology which allows you
0:52 - 0:54

to identify your important information
0:54 - 0:57

assets and to determine why they need
0:57 - 0:59

protecting.
0:59 - 1:01

It is important to note here that when
1:01 - 1:03

information security is mentioned, people
1:03 - 1:05

immediately start thinking about
1:05 - 1:07

confidentiality aspects, but the
1:07 - 1:10

availability and integrity aspects also
1:10 - 1:13

need to be taken into consideration
1:13 - 1:15

as these are important components of
1:15 - 1:17

information security.
1:17 - 1:19

Once this has been achieved, your
1:19 - 1:21

methodology needs to be able to identify
1:21 - 1:24

the likelihood of something going wrong
1:24 - 1:26

and what can be done to mitigate this
1:26 - 1:27

risk.
1:27 - 1:30

In a nutshell, it enables you to quantify
1:30 - 1:32

the impact and the likelihood elements
1:32 - 1:35

of information security risk and then go
1:35 - 1:38

on to do something about it.
1:38 - 1:43

ISO 27001 Risk Management Framework
1:43 - 1:45

There are several discrete stages of an
1:45 - 1:49

ISO 27001 risk management methodology.
1:49 - 1:50

First of all, it is important to
1:50 - 1:52

understand the information security
1:52 - 1:55

context of your organization.
1:55 - 1:57

Once this has been achieved, you can
1:57 - 1:59

perform a risk assessment which includes
1:59 - 2:02

the need to identify your risks,
2:02 - 2:05

analyze them, and evaluate them.
2:05 - 2:07

You then need to determine a suitable
2:07 - 2:08

treatment for the risks you have
2:08 - 2:11

assessed and then implement that
2:11 - 2:12

treatment.
2:12 - 2:14

It is vitally important that you do not
2:14 - 2:17

see this as a one-off exercise.
2:17 - 2:19

Your risk management methodology should
2:19 - 2:21

be designed to be iterative.
2:21 - 2:23

This enables you to not only review the
2:23 - 2:25

status of risks you have previously
2:25 - 2:28

identified, taking into consideration any
2:28 - 2:31

potential changes in context, but it also
2:31 - 2:34

enables you to identify new risks.
2:34 - 2:36

The high level stages of a risk
2:36 - 2:38

management methodology, as described
2:38 - 2:40

above, should be thought of as a
2:40 - 2:43

framework that enables risk management
2:43 - 2:45

to be embedded within key processes
2:45 - 2:47

throughout your organization
2:47 - 2:49

so that any identified risks are
2:49 - 2:51

comparable.
2:51 - 2:54

ISO 27001 Risk Management Context
2:54 - 2:56

The first stage of your risk management
2:56 - 2:59

methodology needs to identify what is
2:59 - 3:01

important to you or your organization
3:01 - 3:03

from an information security point of
3:03 - 3:04

view.
3:04 - 3:07

ISO 27001 requires you to determine the
3:07 - 3:09

context of your organization.
3:09 - 3:11

Part of which means that you need to be
3:11 - 3:13

able to identify the information
3:13 - 3:15

security related issues that you face
3:15 - 3:18

along with who the internal and external
3:18 - 3:20

interested parties are and what their
3:20 - 3:23

needs and expectations are.
3:23 - 3:25

It is important to also understand what
3:25 - 3:27

your risk appetite is at this stage as
3:27 - 3:30

we will need this information later.
3:30 - 3:32

Once you have done this, you are able to
3:32 - 3:34

determine what is important about the
3:34 - 3:36

different information assets under your
3:36 - 3:38

control.
3:38 - 3:41

ISO 27001 Risk Management What Is Risk
3:41 - 3:44

Appetite?
3:44 - 3:46

Risk appetite is simply the amount and
3:46 - 3:48

type of risk you are willing to accept
3:48 - 3:50

or retain
3:50 - 3:52

in order to allow business operations to
3:52 - 3:53

proceed.
3:53 - 3:55

This is important because too much
3:55 - 3:57

security can sometimes compromise your
3:57 - 4:01

operational viability, whereas too little
4:01 - 4:02

will reduce the confidence of your
4:02 - 4:04

stakeholders.
4:04 - 4:06

Some types of organizations are willing
4:06 - 4:09

to accept more risk than others.
4:09 - 4:11

For example, a hedge fund manager is
4:11 - 4:13

likely to take more risk in order to
4:13 - 4:15

make greater profits over a short space
4:15 - 4:18

of time, whereas a pension fund manager
4:18 - 4:21

generally prefers a less risky, steady
4:21 - 4:23

growth approach.
4:23 - 4:27

ISO 27001 Risk Assessment Methodology
4:27 - 4:29

Risk Identification
4:29 - 4:31

Once you have determined the context, you
4:31 - 4:33

can go ahead and conduct a risk
4:33 - 4:34

assessment.
4:34 - 4:36

The first part of a risk assessment is
4:36 - 4:39

to identify the risks that you face.
4:39 - 4:40

This can be broken down into three
4:40 - 4:43

elements. The first element is to
4:43 - 4:45

identify your information assets. An
4:45 - 4:47

information asset is any information
4:47 - 4:49

that has value to you.
4:49 - 4:51

There are several different ways to
4:51 - 4:53

calculate the value of an asset but it
4:53 - 4:55

is important that you not only consider
4:55 - 4:57

the confidentiality needs of the
4:57 - 5:00

information, but also the integrity and
5:00 - 5:02

availability requirements.
5:02 - 5:04

The second element of risk
5:04 - 5:06

identification is threat analysis. You
5:06 - 5:08

need to have a process which enables you
5:08 - 5:10

to identify all of the threats which are
5:10 - 5:12

applicable to the assets you have
5:12 - 5:14

identified.
5:14 - 5:16

If a particular threat is applicable
5:16 - 5:18

then it is also a good idea to think
5:18 - 5:20

about how probable it is that the threat
5:20 - 5:22

will materialize.
5:22 - 5:24

For example, if you use Windows based
5:24 - 5:25

computer systems which are connected
5:25 - 5:28

somehow to the internet, the probability
5:28 - 5:30

of them being affected by a virus is
5:30 - 5:32

probably very high if you do nothing to
5:32 - 5:33

stop it.
5:33 - 5:35

Whereas if you are using an apple mac
5:35 - 5:38

which is never connected to the internet,
5:38 - 5:40

the probability is very low.
5:40 - 5:43

The third element of risk identification
5:43 - 5:44

is the need to determine if there are
5:44 - 5:46

any vulnerabilities that would allow a
5:46 - 5:48

threat that you have identified to cause
5:48 - 5:51

an impact on your asset.
5:51 - 5:52

To carry on with the example we have
5:52 - 5:55

just used, if you have an antivirus
5:55 - 5:58

system installed and running on your
5:58 - 6:00

Internet-connected windows computers, you
6:00 - 6:02

are less vulnerable to this particular
6:02 - 6:05

threat than if you didn't.
6:05 - 6:09

ISO 27001 Risk Assessment Methodology
6:09 - 6:11

Risk Analysis
6:11 - 6:13

One of the useful aspects of the output
6:13 - 6:15

from an effective risk assessment is the
6:15 - 6:19

ability to prioritize your risks. This is
6:19 - 6:21

important as you may not have sufficient
6:21 - 6:23

resources to fully mitigate every risk
6:23 - 6:25

that you identify.
6:25 - 6:26

This means that it is important to
6:26 - 6:29

somehow quantify your risks.
6:29 - 6:32

To do this, we need to know two things.
6:32 - 6:34

First, how much of an impact would be
6:34 - 6:36

felt if a compromise occurred? And second,
6:36 - 6:38

what is the likelihood of that threat
6:38 - 6:40

occurring?
6:40 - 6:42

One good idea is to use a set of scales
6:42 - 6:45

to record values in these areas.
6:45 - 6:48

For example, using a scale of one to five,
6:48 - 6:50

we could say how impactful it would be
6:50 - 6:52

if the confidentiality of an asset were
6:52 - 6:53

breached.
6:53 - 6:55

Clearly breaches of confidentiality
6:55 - 6:57

would cause a greater impact for some
6:57 - 7:00

assets, for example, hr records, than
7:00 - 7:04

others like the staff canteen menu.
7:04 - 7:06

A second one to five scale could be used
7:06 - 7:08

to determine the likelihood of a breach
7:08 - 7:10

occurring and we would take into
7:10 - 7:11

consideration the threat and
7:11 - 7:13

vulnerability information we spoke about
7:13 - 7:16

earlier in order to do this.
7:16 - 7:20

ISO 27001 Risk Assessment Methodology
7:20 - 7:22

Risk Evaluation
7:22 - 7:24

Risk evaluation is a relatively simple
7:24 - 7:27

process as it requires you to identify
7:27 - 7:28

whether or not the risk that you have
7:28 - 7:32

identified is above or below appetite.
7:32 - 7:34

To do this, the first thing we need to do
7:34 - 7:36

is calculate the value of the risk which
7:36 - 7:38

simply means multiplying the impact and
7:38 - 7:41

likelihood values together.
7:41 - 7:43

We have a range of possible values which
7:43 - 7:45

result from multiplying the two one to
7:45 - 7:48

five scales together.
7:48 - 7:50

The appetite is stated within the
7:50 - 7:52

methodology as a particular value on the
7:52 - 7:54

five by five matrix.
7:54 - 7:56

If a particular risk is above this value,
7:56 - 7:58

then it is above appetite which means
7:58 - 8:00

that it can then be flagged for
8:00 - 8:01

treatment.
8:01 - 8:04

Anything below appetite can be accepted
8:04 - 8:07

and monitored for change.
8:07 - 8:12

ISO 27001 Risk Treatment Methodology
8:12 - 8:14

Your risk management methodology needs
8:14 - 8:16

to include a methodology for determining
8:16 - 8:18

the most appropriate treatment for the
8:18 - 8:20

risks that you have identified.
8:20 - 8:22

There are four possible treatments to
8:22 - 8:26

choose from. These are accept, reduce,
8:26 - 8:26

transfer,
8:26 - 8:28

and avoid.
8:28 - 8:30

You may come across different terms used
8:30 - 8:32

for these such as tolerate, treat,
8:32 - 8:34

transfer, and terminate. This example is
8:34 - 8:37

known as the 4Ts', however they take
8:37 - 8:40

the same approach.
8:40 - 8:44

ISO 27001 Risk Treatment Methodology
8:44 - 8:47

Accept or Tolerate
8:47 - 8:48

One of the four treatments provides you
8:48 - 8:51

with the ability to accept risk.
8:51 - 8:53

We have already seen that this is
8:53 - 8:54

possible as it is likely that you will
8:54 - 8:56

simply accept risks that are below
8:56 - 8:58

appetite.
8:58 - 9:00

However, you can also make an informed
9:00 - 9:02

decision to accept risks in certain
9:02 - 9:04

circumstances, such as where there is a
9:04 - 9:06

legal requirement preventing you from
9:06 - 9:08

taking the desired action or you have
9:08 - 9:11

insufficient resources to do so.
9:11 - 9:13

These cases should be few and far
9:13 - 9:14

between though and should always be
9:14 - 9:17

approved by appropriate management and
9:17 - 9:20

regularly reviewed.
9:20 - 9:23

ISO 27001 Risk Treatment Methodology
9:23 - 9:26

Reduce or Treat
9:26 - 9:28

The second treatment option is to reduce
9:28 - 9:29

or treat the risk.
9:29 - 9:31

This is done through the implementation
9:31 - 9:33

of controls.
9:33 - 9:36

ISO 27001 provides you with a list of
9:36 - 9:39

114 best practice controls that can be
9:39 - 9:40

used to mitigate the risks that you have
9:40 - 9:42

identified.
9:42 - 9:44

These can be used in combination in
9:44 - 9:46

order to increase their effectiveness
9:46 - 9:48

and of course you can also add controls
9:48 - 9:50

of your own that do not appear in ISO
9:50 - 9:53

27001.
9:53 - 9:57

ISO 27001 Risk Treatment Methodology
9:57 - 9:58

Transfer
9:58 - 10:00

The third risk treatment option is to
10:00 - 10:02

transfer the risk.
10:02 - 10:04

The transfer option involves the use of
10:04 - 10:06

third parties to help you mitigate your
10:06 - 10:07

risks.
10:07 - 10:09

You could do this, for example, by
10:09 - 10:11

offloading some of the financial impact
10:11 - 10:13

of something going wrong by taking out
10:13 - 10:15

an insurance policy.
10:15 - 10:17

Another way of doing this is to
10:17 - 10:18

outsource the responsibility for
10:18 - 10:20

implementing and operating technical
10:20 - 10:23

controls to a third party such as an IT
10:23 - 10:25

managed service provider.
10:25 - 10:26

It is important to note here that
10:26 - 10:28

although responsibility for financial
10:28 - 10:31

impact or the management of operational
10:31 - 10:33

controls can be transferred to a third
10:33 - 10:36

party, the accountability associated with
10:36 - 10:38

the risk cannot.
10:38 - 10:40

In other words you will still be held
10:40 - 10:42

accountable by your stakeholders if
10:42 - 10:45

something goes wrong.
10:45 - 10:49

ISO 27001 Risk Treatment Methodology
10:49 - 10:52

Avoid or Terminate
10:52 - 10:53

The fourth risk treatment option is to
10:53 - 10:55

simply avoid the risk.
10:55 - 10:57

As we have discussed before, there are
10:57 - 11:00

three component parts to risk. The impact
11:00 - 11:02

felt by the organization following a
11:02 - 11:04

breach of confidentiality, integrity, or
11:04 - 11:07

availability for an information asset.
11:07 - 11:10

A threat that could cause this impact
11:10 - 11:12

and a vulnerability that would allow it
11:12 - 11:13

to do so.
11:13 - 11:16

It is possible to avoid risk completely
11:16 - 11:18

by eliminating one or more of these
11:18 - 11:20

three elements.
11:20 - 11:22

However, it is unlikely that we would be
11:22 - 11:24

able to completely remove all threats or
11:24 - 11:27

all vulnerabilities which leaves us only
11:27 - 11:29

with one viable option, which is to
11:29 - 11:32

remove the impact.
11:32 - 11:34

This is done by removing the asset or
11:34 - 11:36

stopping the processes that are
11:36 - 11:39

associated with the identified risk.
11:39 - 11:40

For example, to avoid the risks
11:40 - 11:42

associated with the taking of credit
11:42 - 11:44

card payments,
11:44 - 11:46

remove that process and only deal in
11:46 - 11:47

cash.
11:47 - 11:49

There are obvious issues associated with
11:49 - 11:52

taking this approach, as it is unlikely
11:52 - 11:54

to be looked upon to favorably by your
11:54 - 11:57

stakeholders, especially if the process
11:57 - 11:59

is revenue generating.
11:59 - 12:01

This is the reason why this particular
12:01 - 12:03

risk treatment methodology is rarely
12:03 - 12:05

used.
12:05 - 12:09

ISO 27001 Risk Treatment Methodology
12:09 - 12:10

Controls
12:10 - 12:12

The most common option chosen
12:12 - 12:15

to treat risks, other than maybe 'accept'
12:15 - 12:18

in more mature ISMS's, is to reduce the
12:18 - 12:19

risk.
12:19 - 12:22

This is done by implementing controls or
12:22 - 12:24

improving existing ones to address the
12:24 - 12:25

risk.
12:25 - 12:27

There are three main operational types
12:27 - 12:29

of control: Administrative or
12:29 - 12:31

people-based controls,
12:31 - 12:33

technical or logical controls, and
12:33 - 12:36

physical or environmental controls.
12:36 - 12:38

Within these three operational types
12:38 - 12:40

there are several different tactical
12:40 - 12:43

uses of controls, such as those that are
12:43 - 12:44

designed to prevent a threat from
12:44 - 12:46

materializing,
12:46 - 12:48

those that are designed to deter people
12:48 - 12:51

from carrying out an undesired action,
12:51 - 12:53

those that detect if a threat has
12:53 - 12:55

materialized, or those that enable you to
12:55 - 12:57

recover from a situation after the
12:57 - 12:59

threat has been dealt with,
12:59 - 13:01

and there are several others.
13:01 - 13:03

Operational types and tactical uses of
13:03 - 13:06

controls are not mutually exclusive and
13:06 - 13:09

can and should be used where possible in
13:09 - 13:11

combination to provide a greater depth
13:11 - 13:13

of security.
13:13 - 13:17

ISO 27001 Risk Management Monitor And
13:17 - 13:18

Review
13:18 - 13:20

It is important to ensure that any
13:20 - 13:22

actions you take to address the risks
13:22 - 13:24

you have identified are monitored and
13:24 - 13:26

reviewed to ensure that they have the
13:26 - 13:27

desired effect.
13:27 - 13:30

Part of the monitor and review process
13:30 - 13:32

should also include a review of context
13:32 - 13:33

before the risk assessment is
13:33 - 13:35

reperformed.
13:35 - 13:38

This will allow you to identify and take
13:38 - 13:39

into consideration any changes that may
13:39 - 13:41

have happened, either internally within
13:41 - 13:44

your organization or externally such as
13:44 - 13:46

changes in legislation or changes to the
13:46 - 13:49

threat environment. Thus, you are able to
13:49 - 13:51

identify if risks that have previously
13:51 - 13:53

been identified are getting worse or
13:53 - 13:56

hopefully better. And you will also be
13:56 - 13:59

able to identify any new risks.
13:59 - 14:02

ISO 27001 Risk Assessment Frequency
14:02 - 14:04

Risk management and therefore risk
14:04 - 14:07

assessment is an iterative process
14:07 - 14:09

and each iteration should take into
14:09 - 14:11

consideration lessons learned from the
14:11 - 14:13

previous iteration and should take into
14:13 - 14:16

consideration any internal or external
14:16 - 14:18

changes thus enabling continual
14:18 - 14:19

improvement.
14:19 - 14:21

There is no hard and fast rule on the
14:21 - 14:24

frequency of risk assessment but URM
14:24 - 14:26

recommends that the frequency is no less
14:26 - 14:27

than annual.
14:27 - 14:29

This does not necessarily mean that you
14:29 - 14:31

should set aside a certain amount of
14:31 - 14:33

time at a certain point in the year to
14:33 - 14:35

conduct a risk assessment, although of
14:35 - 14:38

course you can do this if you wish.
14:38 - 14:40

It just means that each time 12 months
14:40 - 14:42

has elapsed, you should aim to have
14:42 - 14:44

completed the next iteration.
14:44 - 14:47

So you could spread the workload over
14:47 - 14:49

the 12-month period by performing
14:49 - 14:51

smaller risk assessments on a subset of
14:51 - 14:54

areas at more frequent intervals if this
14:54 - 14:56

is more manageable.
14:56 - 14:59

ISO 27001 Risk Management
14:59 - 15:01

Governance
15:01 - 15:03

Throughout the risk management process,
15:03 - 15:05

you need to ensure that you communicate
15:05 - 15:08

effectively with any interested parties.
15:08 - 15:10

It may be useful to put together a RACI.
15:10 - 15:13

(RACI) to help you with this. As all the
15:13 - 15:15

way through the process different people
15:15 - 15:18

will need to be held responsible, some
15:18 - 15:20

will need to be held accountable, some
15:20 - 15:22

will need to be consulted in order to
15:22 - 15:23

identify all of the pertinent
15:23 - 15:26

information we need to perform an
15:26 - 15:28

effective risk assessment, and some
15:28 - 15:30

people, for example, the management team
15:30 - 15:32

will need to be informed through
15:32 - 15:36

effective reporting of your risk status.
15:36 - 15:39

ISO 27001 Risk Management Policy and
15:39 - 15:41

Process
15:41 - 15:43

As with all key processes associated
15:43 - 15:46

with an effective ISMS, it is a good idea
15:46 - 15:48

to implement a risk management policy.
15:48 - 15:50

This enables you to set the risk
15:50 - 15:53

management and risk assessment criteria,
15:53 - 15:55

appetite, and roles and responsibilities
15:55 - 15:57

out within a document that everyone is
15:57 - 15:59

required to implement throughout the
15:59 - 16:01

business.
16:01 - 16:02

This should of course be underpinned by
16:02 - 16:05

the risk management methodology and any
16:05 - 16:08

required documented processes to enable
16:08 - 16:09

risk management to be embedded
16:09 - 16:12

throughout the organization.
16:12 - 16:15

So how can URM help?
16:15 - 16:17

URM can offer a range of information
16:17 - 16:20

risk management consultancy and training
16:20 - 16:23

services. Most notably, our accredited
16:23 - 16:25

five-day practitioner certificate in
16:25 - 16:27

information risk management training
16:27 - 16:28

course.
16:28 - 16:30

In addition, URM has also developed an
16:30 - 16:32

information risk management module,
16:32 - 16:36

Abriska 27001, specially to meet the
16:36 - 16:38

risk assessment requirements of ISO
16:38 - 16:40

27001
16:40 - 16:43

For more information email us or give us
16:43 - 16:46

a call.

Title:: ISO 27001 Risk Assessment: The Ultimate Guide
Description:: more » « less
Video Language:: English
Duration:: 16:50

	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide
	OEVIDEOS edited English subtitles for ISO 27001 Risk Assessment: The Ultimate Guide

Show all

English subtitles

Revisions Compare revisions

Revision 9 Edited

OEVIDEOS
Revision 8 Edited

OEVIDEOS
Revision 7 Edited

OEVIDEOS
Revision 6 Edited

OEVIDEOS
Revision 5 Edited

OEVIDEOS
Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	9	OEVIDEOS
	8	OEVIDEOS
	7	OEVIDEOS
	6	OEVIDEOS
	5	OEVIDEOS
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

ISO 27001 Risk Assessment: The Ultimate Guide

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)