Strategy for ISO 27001 Certification-Phase 2

Risk Assessment and Treatment:

Why is Information Security Important?

Organizational information, whether customer data, credit card information, intellectual property, or other forms is considered a vital asset for organizations. The confidentiality, integrity, and availability of information allows for organizations to sustain a competitive advantage, cost-effectiveness, a steady cash flow, profitability, legal compliance and a positive reputation.

The question is important to ask and consider the answers from your organization’s point of view. What you determine your answers to be are the reasons for your desire to venture into the ISO 27001:2013 certification process.

The next phase of the project and second article in our four part series outlining the steps to certification is to begin the Risk Assessment, which will definitely be a time consuming procedure. The Risk Assessment can be the most complex work required for a full implementation of ISO/IEC 27001, as there are many details to identify, evaluate, mitigate, and protect.

What is the Risk Assessment?

The Risk Assessment is the overall process of risk analysis and risk evaluation that includes the evaluation of threats facing the organization’s assets, the risks. The Risk Assessment is an appraisal of the impact each threat has on a particular asset and the likelihood of the threats causing an occurrence or event. The Risk Assessment also takes into consideration the scope and consequences of risks with respect to the nature of the information being processed. The objective of the Risk Assessment is to thoroughly evaluate the risks and create conditions for risk mitigation through the implementation of controls.

Risk Management Software for Risk Assessment – RM Studio

RM Studio will assist you in completing the Risk Assessments for your organization. Simplifying the risk assessment process through streamlining the evaluation procedure and providing numerous time-saving functions in the application is how RM Studio can be an asset to you. Features including:

•  ISO 27001 & 27002 embedded,
•  Implementation guidelines and recommendations,
•  Comprehensive threat library included,
•  Evaluation templates and customizations
•  Risk scoring for easy digestion of results

7. Prepare the Risk Assessment

Define the risk assessment approach. Will you utilize a quantitative or qualitative approach? Will you employee the services of a third-party consulting firm or software application, such as RM Studio? Reviewing the ISO/IEC 27005, a sub section of the 2700x series, specially focused on risk assessment is recommended for anyone new to the ISO 27001 certification.

Determining what set of controls you implement, such as the ISO/IEC 27002 that include the good practice guidelines on the implementation of these controls. You may need to define your own specific controls in addition to the chosen control set.

8. Identify your Information Assets

It is important to determine the Asset Classification, which includes assets identification and necessary protections required, as well as accepted use of assets.

Define both the tangible and intangible assets within the scope of your ISMS. These assets can be people, equipment, systems, buildings and everything else in between. However, we don’t recommend trying to assess the risk to each and every asset on a finite level. The assets can be grouped together for convenience and logic, for instance if your organization has the multiple servers in the same room, evaluation the server room is just as effective as evaluating each server one at a time.

9. Assess the Risk to the Assets

Execute risk assessment evaluations for the assets within the scope of your ISMS. The exercise involves identifying relevant threats to the assets, identification of vulnerabilities of the assets, impact of threats and the probability of the threats occurring.

The ISO 27001 standard states that Information security is the safeguarding of:

•  Confidentiality: information and assets are not available or disclosed to unapproved individuals, entities, or processes.
•  Integrity: The preservation of the accuracy and completeness of information and assets.
•  Availability: Information and assets are accessible and usable upon demand by an approved individual, entity, or process.

Protecting information and assets includes implementing mitigating controls that address threats. ISO 27001 assesses threats based on:

•  Probability: The likelihood the event will occur.
•  Impact: The level of disruption and damage the event has on the specific asset.

10. Create the Risk Treatment Plan

The treatment process of selecting and implementing measures (controls) to mitigate or modify risk. You will use the applicable controls to mitigate the unacceptable risks identified through the Risk Assessment procedure.

The most important document associated with the Risk Assessment and Treatment is the Statement of Applicability report. The Statement of Applicability (SOA) displays the status of the management system and identifies the controls chosen within the scope of the assessment. If you are using the ISO 27002 controls there are 133 in total and you may not use all of them in your environment.

The approval of the Residual Risk, the remaining risks after applying the controls, must be produced in addition to the SOA or in a separate report.

A recommended good practice is to review the Risk Assessment and Treatment regularly in order to maintain implemented policies and procedures for the Information Security Management System.

The third part of the series will follow this article next week. We will also be performing a live 30 minute webcast to continue to explain this strategy. Visit our website for more details.