An intimidating factor for organizations is undergoing a major change which has direct effects on operational procedures. An example of such changes is the determination to move towards ISO/IEC 27001 certification. The following is a suggested guideline for completing a risk assessment, the initial step to take when pursuing ISO 27001 certification.
1. Get Acquainted with the Standard
As the person responsible for information security within your organization, whether you are the CEO, owner, CTO, or information security officer, your first step should be to obtain a copy of the standard ISO/IEC 27002 code of practice and read it. Reading through the standard you will recognize that this is a management standard that outlines best practices to ensure integrity, confidentiality and availability of your business data.
2. Involve your Team
Initiate the first round of discussions with your employees at all levels, discussing the purpose and motivation behind your decision to pursue ISO 27001 certification. It is important that all departments understand their effect on compliance. Next, perform information security profiling within your organization.
RM Studio was developed to assist users in the following steps. With the ability to embed RM Studio with the ISO 27001:27002 the risk management process is simplified. Asset and threat identification is simplified, risk assessment calculations are performed, and an implementation of controls guide is provided. Click on the link for more information on RM Studio.
3. Define the Scope of your Implementation of ISO/IEC 27001
It is important to determine the scope of implementation of ISO/IEC 27001 and the Information Security Management System (ISMS). Will your entire company be complying? Or, will it include a single department, branch, or even a single process?
4. Get Started with a Risk Assessment
Define the risk assessment approach. Will you utilize a quantitative or qualititive approach? Will you employee the services of a third party? You may want to take a look at ISO/IEC 27005 a sub section of the 2700x standard series, which is specially focused on risk assessment.
5. Identify your Information Assets
Define both the tangible and intangible assets within the scope of your ISMS. These assets can be people and buildings and everything else in between.
6. Assess the Risk to the Assets
Perform risk assessment exercise for various assets within the scope of your ISMS. This involves identifying relevant threats towards the assets, identification of vulnerabilities of the asset towards each threat, impact of threat and the probability of a threat becoming a reality.
7. Design a Risk Management Strategy
The relationship between an asset and a threat is considered a risk. Suggest controls from ISO/IEC 27001 that hedge against the identified risks. Guidelines on the implementation of these controls are in ISO/IEC 27002. You may need to define your own specific controls.
8. Obtain the results of the Risk Assessment required by the standard ISO/IEC 27001
The most important document associated with the risk assessment is the Statement of Applicability report. The Statement of Applicability displays the status of the management system. It is a document which identifies the controls chosen within the scope of the assessment, controls that are appropriate in your environment.
9. Training and Awareness
Develop a customized and focused information security training program to build awareness of information security for everybody in your company.
10. Get ready for business continuity planning
The Business Continuity Plan identifies your organization‘s assets exposure to risks and provides an effective plan for prevention and recovery for you organization in the event the risk effect the business.
The Risk Assessment can be seen as one of three steps required for a full implementation of ISO/IEC 27001. The other two are Business Continuity Planning and the development of Organizational Manual such as procedures, processes and policies.
RM Studio, Simplifying Risk Management
