ISO 27001 Risk Assessment: 10 Step Guide to an Effective AssessmentConducting an effective ISO 27001 risk assessment is fundamental to achieving compliance. Here's how to do it.
by Rick Stevenson
As your organization grows and adds new technologies, your IT risks evolve. Malicious actors increasingly use supply chain attacks to cause as much damage and disruption as possible. In response, legislative bodies and regulatory agencies implement more rigorous compliance requirements. Meanwhile, customers often require companies to prove that they understand their risk and have mitigating controls in place.
Many compliance mandates integrate the controls and processes defined within the International Organization for Standardization (ISO) 27000-series. In particular, ISO 27001 describes best practices for building an information security management system (ISMS).
As you start your ISO certification journey, you need to understand how to conduct an ISO 27001 Risk Assessment because it’s the foundation for everything else.
What is an ISO 27001 Risk Assessment?
Clause 6.1.2 of ISO 27001 outlines the requirements for an information security risk assessment, requiring that organizations:
Establish and maintain information security risk criteria.
Implement repeatable processes that produce consistent, valid, and comparable results.
Identify information security risks.
Analyze information security risks.
Evaluate information security risks.
The ISO 27001 risk assessment guides every other activity that the organization takes to protect sensitive data.
What Does ISO 27001 Require?
Embedded within ISO 27001’s general risk assessment requirements, the standard also includes several actions to take and documents to collect. It’s important to remember that a risk assessment requirement, like ISO’s, is intended to provide a flexible framework rather than a prescriptive set of steps.
When you dig into the risk assessment clause a little further, you start to get a better sense of what ISO expects from you. Some key requirements include:
Defining the risk acceptance criteria in the policy.
Defining the assessment criteria in the policy.
Identifying information confidentiality, integrity, and availability risks.
Identifying risk owners.
Assessing the potential consequences if the identified risks materialize.
Realistically assessing the likelihood that the risks will occur.
Determining risk level.
Comparing risk analysis with risk criteria.
Prioritizing risk treatment.
As part of the planning process, your risk assessment provides the map that helps you outline everything from how you design your architecture to how you measure your security program’s effectiveness.
Since everything about compliance and audit relies on documentation, your risk assessment will generate reports used during the audit.
Risk Assessment Table
The risk assessment table lists the organization’s:
Assets and information resources.
Identified vulnerabilities and threats.
Risk Assessment and Risk Treatment Methodology
This report outlines how you measure risk and incorporates your company’s context. For example, you should consider including:
Legal, regulatory, and compliance requirements.
Information security objectives.
Once you define how you plan to assess risk, you can create consistent processes for how to treat risks. This means knowing what risks you plan to:
Not every risk is equally important, and you might decide to accept something with a low risk of adversely affecting your company because mitigating it is cost-prohibitive. On the other hand, you might choose to mitigate a risk that could negatively impact your company because it provides an equally important benefit and cost-effective mitigations exist.
Statement of Applicability (SoA)
The SoA documents which ISO 27001 Annex A controls you implemented, how you implemented them, and your reasoning for implementing them. In addition, if you chose not to implement controls, you must also document why you felt they weren’t necessary within your unique environment.
For each control, you want to explain which of the following requirements it fulfills:
Results of risk assessment
Risk Treatment Plan
While your risk treatment methodology explains how you make risk tolerance decisions, your risk treatment plan outlines the actions that you plan to take for each identified risk. Basically, the document proves you appropriately applied the methodology in practice.
In many ways, the risk treatment plan is similar to the risk treatment methodology. You’re documenting a list of assets, threats, and risk-based choices. In addition to those, your risk treatment plan will include:
A person responsible for the asset.
The security control(s) that mitigate risk.
The person responsible for implementing and maintaining the control(s).
Deadlines associated with implementing, monitoring, and reviewing control(s).
Resources needed to implement the control(s), including staffing and budgets.
Method of evaluating control implementation.
10 Steps to Conduct an Effective Asset-Based Risk Assessment
Risk assessments involve a lot of people and a lot of moving parts. In the same way that you want repeatable outcomes, you need to put repeatable processes in place.
1. Create a Cross-Functional Team
No one person in your company knows everything about your technology stack or the risks you need to consider. When you build out a team, you want to include stakeholders from across the organization, including:
2. Establish an Asset Inventory
You can’t protect what you don’t know you have. Your asset inventory should include:
Devices, including Internet of Things (IoT) devices, network devices, and mobile devices
You need to create an asset inventory that’s as complete as possible, so you should be monitoring for new assets regularly—especially in cloud environments.
3. Assign Each Asset a Risk Level
For each asset, you want to consider whether it poses a high, medium, or low risk to the organization. This is where you look at your organization’s context, like legal or compliance risks. For example, privacy laws regulate how you need to handle personally identifiable information (PII), so that data poses a high compliance risk.
4. Define Threats and Vulnerabilities
Once you know all your assets, you can outline threats and vulnerabilities for each one.
For technologies, you want to consider things like:
Common vulnerabilities and exposures.
Availability of security updates.
Known attacks targeting them.
You also want to consider administrative and procedural threats and vulnerabilities like:
An employee leaving the organization.
Lack of process documentation.
Employee security awareness.
5. Analyze Risk
When you analyze risk, you consider the likelihood that an event will happen and compare it to the damage it causes. A high-risk asset with a low likelihood of experiencing a risky event might be a moderate risk overall.
6. Document Risk Assessment and Risk Treatment Methodology
Once you have analyzed all your assets, threats, vulnerabilities, and risks, you can write your risk assessment and treatment methodology. This aggregates all the activities you’ve engaged in and allows you to outline your reasons for accepting, refusing, mitigating, or transferring the risks.
7. Choose and Document ISO 27001 Controls
Once you’ve determined which risks you want to mitigate, you start working through the different ISO 27001 Annex A controls listed in ISO 27002. For each asset, you define the threat/vulnerability and document which control(s) apply, including your reasoning for implementing them.
8. Implement and Test Chosen Controls
When it comes to compliance, your actions speak louder than your words. For each control, you need to use either a technology or a process for implementing it. You should be documenting how you implemented the control, who’s responsible for the implementation, and when you completed the implementation.
9. Monitor Controls
Security changes continuously, so you need to make sure that you monitor whether your controls are working as intended. For example, security researchers continue to find new vulnerabilities in operating systems and software. T
o ensure continued control effectiveness, you should run vulnerability scanners and update software or operating systems with security patches. To monitor whether your vulnerability and patch management controls are working, you need a way to make sure that all devices connected to the network are securely configured.
10. Report Program Effectiveness to Leadership
ISO 27001 certification requires oversight from senior management and the board of directors. With everything documented and monitored, you need to give everyone the information that allows them to make informed decisions when risks change.
Your reports should include key performance indicators that show whether controls work as intended to mitigate risk or whether you need to update the risk treatment plan with additional controls.
Automating the Risk Management Process
With so many people and moving parts involved, manually managing the risk assessment process can become overwhelming. As you move toward certification, you need to have a single source of information for audits, but shared spreadsheets may not always be up-to-date.
With Drata, everyone involved in the risk management process can collaborate without worrying about multiple copies of documents or making unauthorized changes. Our library of pre-mapped risks and ability to create custom risks streamlines the identification, assessment, and analysis process.
Our platform automatically populates a custom score and treatment plan that allows you to assign responsible parties and track their activities to prove compliance. As we continuously monitor your security, we also monitor your compliance, providing alerts and suggesting treatment plans so that you can proactively mitigate risks.
To see how Drata can help you achieve ISO 27001 compliance, book a demo today.