CHAPTER 12:
REVIEWING THE RISK ASSESSMENT
ISO27001 sets out the requirement: ‘review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks’ taking into account changes in the business environment, to the organization, to the risks it faces, to the incidents it experiences, to regulatory changes and in light of the effectiveness of the controls.15
Given the rate of development of new threats, the discovery of new vulnerabilities and the development of new technology (with its own inherent vulnerabilities), the information security management system needs to be continually reviewed to ensure it remains fit for purpose and that it meets the requirements of the information security policy. To do this, the risk assessment must be reviewed.
ISO27001, clause 4.2.3 - d, requires the organization to ‘review risk assessments at planned intervals and [to] review the residual risks and identified acceptable levels of risks’, taking into account changes to the organization and its business objectives, the risk environment (ie, threats, vulnerabilities and likelihoods), the emergence of new technology and changing usage of existing systems, and changes to regulatory and compliance requirements.
There are two types of review:
1. A review that takes place in response to a specific change of circumstances, such as a proposal to introduce a new technology, provide a new service or respond to a regulatory change.
2. A review that takes place on a regular basis and which considers the overall effectiveness of the controls that are currently in place. This regular review should take place at least annually in smaller businesses but in larger organizations should probably be done on a rolling monthly schedule which ensures that the entire risk assessment is reviewed across the twelve month period.
Review(s) should be part of the overall management review of the ISMS and should look at the aggregated outputs of the incident reporting procedure as well as from the various processes put in place to measure16 the effectiveness of controls (as required by ISO27001 clause 4.2.3 - c).