CHAPTER 12: RISK ASSESSMENT

The next planning step is the information security risk assessment. Risk assessment is dealt with in clauses 6.1.2 and 8.2 of ISO27001, supported by the guidance of ISO27002 Clause 0.2.

Rather than being immediately complementary, ISO27002 recognises the value of additional control and management frameworks. The risk assessment guidance offered in ISO27002, therefore, is necessarily brief as it encourages the organisation to choose the approach which is most applicable to its industry, complexity and risk environment.

Link to ISO/IEC 27005

ISO27005 is a code of practice and provides detailed and extensive guidance on how to implement the requirements mandated by ISO27001. While the risk assessment must be carried out in line with the requirements of ISO27001, the guidance of ISO27005 can be drawn on in developing the detailed risk assessment methodology.

Objectives of risk treatment plans

Risk treatment plans have four linked objectives. These are to

•  eliminate risks (terminate them),

•  reduce those that cannot be eliminated to ‘acceptable’ levels (treat them),

•  tolerate them, exercising carefully the controls that keep them ‘acceptable’, or

•  transfer them, by means of contract or insurance, to some other organisation.

ISO27001 requires the organisation (in Clause 6.1.2) to define the risk acceptance criteria and the criteria for performing information security risk assessments. The process adopted by management to make these decisions must be ‘tailored to the needs of the organisation’.¹ Furthermore, whatever risk assessment process the organisation chooses to implement, it must be able to ‘produce consistent, valid and comparable results’.²

A risk treatment plan can only be drawn up once the risks have been identified, analysed and assessed. The risk assessment process should be designed to operate within the organisation’s overall risk treatment framework (if there is one) and should follow the specific requirements of ISO27001.

Legal, regulatory and contractual requirements

ISO27001 requires the organisation to implement any controls that might be necessary to meet its legal, regulatory and contractual obligations. Once these controls have been selected and implemented, the organisation can proceed to carry out a risk assessment to identify what additional controls might be required in order for it to manage risks within its risk tolerance level.

Risk assessment process

ISO27001 sets out seven steps that must be followed in carrying out a risk assessment:

•  identify risks associated with the loss of confidentiality, availability and integrity of information within the scope of the ISMS;

•  identify the risk owners;

•  assess the consequences that may result if an identified risk materialises;

•  assess the likelihood of that risk occurring;

•  determine the levels of risk;

•  compare the results of the analysis against the risk criteria;

•  prioritise the risks for treatment.

Identify risks (6.1.2.c.1)

Information security risks are ‘the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organisation.’³

Threats

Threats are things that can go wrong or that can ‘attack’ the identified assets. They can be either external or internal. ISO27001 requires the ISMS to be based on the foundation of a detailed identification and assessment of the threats to each individual information asset that is within the scope. Threats will vary according to the industry and the scope of the ISMS.

Vulnerabilities

These leave a system open to attack by something that is classified as a threat, or allow an attack to have some success or greater impact. A vulnerability can be exploited by a threat. Identify – for every identified asset, and for each of the threats listed alongside each of the assets – the vulnerabilities that each threat could exploit.

Identify risk owners (6.1.2.c.2)

In addition to the asset owners that must be identified in the asset register prior to the risk assessment, each risk identified is assigned an owner. It is important to recognise the distinction in roles between the asset owner and the risk owner. While the asset owner is responsible for ensuring that the asset is inventoried, classified and protected, controlled and properly handled⁴, the risk owner has no specific responsibilities towards the asset, but is responsible for managing the risk and accepting residual information security risks. It is also important to note that a single risk may affect several assets.

Assess the consequences of the risk (6.1.2.d.1)

The successful exploitation of a vulnerability by a threat will have an impact on the asset’s availability, confidentiality or integrity. These impacts should all be identified and, wherever possible, assigned a value. ISO27001 is clear that these impacts should be assessed under each of these three headings; a single threat, therefore, could exploit more than one vulnerability and each exploitation could have more than one type of impact.

The Standard’s requirement is to assess the extent of the possible loss to the business for each potential impact. One object of this exercise is to prioritise treatment (controls) and to do so in the context of the organisation’s acceptable risk threshold; it is acceptable to categorise possible loss rather than attempt to calculate it exactly.

Likelihood (6.1.2.d.2)

There must be an assessment of the likelihood or probability of the identified impact actually occurring. Probabilities might range from ‘not very likely’ (e.g. major earthquake in southern England destroying primary and backup facilities) to ‘almost daily’ (e.g. several thousand automated malware and hack attacks against the network).

Levels of risk (6.1.2.d.3)

Assess the risk level for each impact as a combination of the consequences and the likelihood. Every organisation has to decide for itself what it wants to set as the thresholds for categorising each potential impact.

Comparing the risk analysis with the risk criteria (6.1.2.e.1)

Take the levels of risk established during the analysis and compare them with the risk criteria established at the start of the process. This provides a broader overview of the level of overall risk facing the organisation on a risk-by-risk and asset-by-asset basis, and provides the basis of the rest of the ISMS.

Prioritise the risks (6.1.2.e.2)

The further a risk deviates from the risk acceptance criteria, the higher its priority. Even in the event that a risk falls within the acceptance criteria, it may be valuable to assign it a priority for eventual treatment, or it may be predicted that the risk will increase under specific circumstances.

Risk treatment plan

Clause 6.1.3 of ISO27001 requires the organisation to formulate a risk treatment plan. This should identify the appropriate management action, responsibilities and priorities for managing information security risks. The risk treatment plan must be documented. It should be set within the context of the organisation’s information security policy and it should clearly identify the organisation’s approach to risk and its criteria for accepting risk. These criteria should, where a risk treatment framework already exists, be consistent with the requirements of ISO27001.

¹ ISO/IEC 27001:2013, 1.

² ISO/IEC 27001:2013, 6.1.2.b.

³ ISO/IEC 27000, 2.61, Note 6; emphasis added.

⁴ ISO/IEC 27002, 8.1.2.