CHAPTER 5:
OVERVIEW OF THE RISK ASSESSMENT PROCESS
ISO27001 says that ‘criteria against which risk will be evaluated’ must be contained within the ISMS policy (ISO 27001 clause 4.2.1 - b3). Within the context provided by the policy, the organization must identify a suitable risk assessment methodology that takes into account identified business, information security, legal and regulatory requirements (4.2.1 -c1) and must ensure that the criteria for accepting risks and for identifying the acceptable level of risks are defined (4.2.1 - c2).
ISO27001 says that the organization’s risk assessment methodology – which should reflect the organization’s risk appetite and/or sit within the existing Enterprise Risk Management (‘ERM’) structure – must produce ‘comparable and reproducible results’ (clause 4.2.1 - c). This means that, once the first risk assessment has been conducted, any subsequent risk assessments can use it as a baseline or benchmark for comparison.
As a consequence of this, once controls have been applied in the light of the risk treatment decision, the risk assessment could be repeated and the remaining, residual risks could be confirmed as being within the organization’s level of risk tolerance and that, therefore, the ISMS is effective and the information security policy objectives are being achieved.
The precise risk assessment steps are that the organization:
• identifies the assets (ie, anything that has value to the organization) within the scope of the ISMS, and the owners of those assets (clause 4.2.1 - d1);
• identifies the business, legal and contractual requirements that are relevant to the identified assets;8
• values the identified assets, taking into account the confidentiality, availability and integrity of the assets in each of their business, legal and contractual contexts;
• identifies the threats to the identified assets (4.2.1 - d2);
• identifies the vulnerabilities that might be exploited by those threats (4.2.1 - d3);
• analyses the impacts that losses of confidentiality, integrity and availability may have on each of the assets in each of their business, legal and contractual contexts (4.2.1 - d4) – this can be the values identified three steps earlier, and this approach is reflected in BS7799-3:2006;
• assesses the ‘realistic likelihood’ of these impacts occurring (4.2.1 - e2); and
• estimates the risks to the assets, using these factors (clause 4.2.1 - e3).
8 While this and the subsequent step are not clearly mandated by ISO27001, the requirement of clause 4.2.1 -b2 (‘takes into account business and legal or regulatory requirements, and contractual security obligations’) can only practically be met by addressing them at this point. This approach is precisely in line with the recommendations of BS7799-3, clause 5.3.
This estimation of the level of risk (the ‘risk equation’) is achieved by:
1. Assessing the business, legal/regulatory and contractual impacts on the organization of security failures (‘taking into account the consequences of a loss of confidentiality, integrity or availability’).
2. Assessing the realistic likelihood of the failure occurring for the given threats and vulnerabilities and (where appropriate) the controls currently implemented.
The relationship between these attributes is reflected in the diagram below. It assumes that there is an estimable likelihood that an identified threat will exploit an identified vulnerability; if it does, there will be an estimable impact and the product of impact and likelihood gives rise to the risk level. Whether or not that level of risk is acceptable depends entirely on the organization’s risk acceptance criteria.
Figure 1: Sources of the risk equation
Clause 4.2.1 - e4 of ISO27001 then requires the organization to determine which of these risks are acceptable and which require treatment in light of the criteria set out at the start of the process (at 4.2.1 - c).
The standard then requires the management in your organization to ‘identify and evaluate’ options for the treatment of the risks (4.2.1 - f) and provides four possible headline options for this treatment. These are:
1. Knowingly accept the risks, provided they satisfy the organization’s policies and risk acceptance criteria, ie, they are within its level of risk tolerance or risk appetite; or
2. Apply appropriate controls (treating the risk) to reduce the risk to an acceptable level; or
3. Reject or avoid the risks, by for example finding a work-around; or
4. Transfer the business risks to other parties.
The risks that require treatment through the application of controls (option 2, above) are then handled in accordance with section 4.2.1 - g, with each risk being treated through the selection of a control objective and supporting control(s) that will meet the requirements identified by the risk assessment process and which will take account of the over-riding risk acceptance criteria as well as the legal, regulatory and contractual requirements.
Controls act to reduce likelihood and/or impact and the objective of the control selection process is to select controls that will bring the identified risk below the previously defined level of risk tolerance, as shown in the risk treatment matrix below:
Figure 2: Controls reduce impact and/or likelihood to bring the risk down to the level of risk tolerance/acceptance
The penultimate step in the ‘Plan’ stage of the initial ISO27001 Plan-Do-Check-Act cycle is the production of a Statement of Applicability. This document lists all the controls identified in Annex A of ISO27001 and states (together with a justification) whether or not that control has been applied within the organization’s ISMS.
Formal management approval is then required for the Statement of Applicability, for the proposed residual risks, and for the implementation of the selected controls through the operation of the ISMS.