Professional Documents
Culture Documents
Anyone can follow and apply the best practice set out in this white paper. Most
organisations will want to streamline their risk assessment process so that this best
practice becomes embedded. This is most easily done by acquiring and using a standard
ISO 27001 risk assessment software tool. This white paper therefore also describes a
number of the key features you should look for in an ISO 27001 risk assessment tool.
Experienced information security and risk management practitioners know that manual
risk assessment methods are highly dependent on one or two individuals within the
organisation, are time-consuming (trial and error) and costly to create, and often suffer
from data and process inconsistencies that undermine the integrity and dependability
of the results. They will therefore always use a purpose-built ISO 27001 risk assessment
software tool, and one that follows the five steps above in order to achieve their
organisations risk management objectives consistently and cost-effectively.
Formal methodology
ISO 27001 (clause 6.1.2) requires the organisation to define and apply a risk assessment
process. A key requirement of this process is that it must produce consistent, valid
and comparable results. In practical terms, this means that the risk assessment process
should be objective, transparent and auditable; competent risk assessors should be able
to analyse and evaluate a range of risks and reach consistent results, irrespective of who
carries out or reviews the risk assessment.
Long-term, consistent, robust and transparent results are one of the key reasons for
using formal risk assessment software tools; all future risk reviews, and additional
risk assessments, can then be performed quickly and easily in a standardised and
well understood environment. Good ISO 27001 risk assessment tools are, in practice,
designed and built to incorporate the five steps.
A formal risk assessment methodology has to address four issues, and has to be approved
by top management:
The first step in a risk assessment is for the lead risk assessor to ensure that the
organisation has correctly identified and implemented all of its necessary baseline security
controls. If you are using a risk assessment tool, you should be able to identify which of
these controls have been adopted.
Risk scale
The second step is to establish what is called the risk scale. Establishing the risk scale can
be one of the most challenging aspects of establishing an ISMS and is one of the areas in
which organisations often benefit from external expert assistance.
In simple terms, risks are defined as a combination of likelihood and impact: a risk has to
be likely to occur and, if it does, it has to have an impact on the organisation otherwise,
why bother worrying about it in the first place?
A risk scale can typically be imagined as a standard graph, where likelihood (of an event
happening) is the vertical axis and impact (on the organisation) is the horizontal axis. The
basis of measurement can be either qualitative or quantitative. The basis of measurement
can be either qualitative or quantitative; qualitative is the most widely used because
"impact" is almost impossible to boil down to a single quantitative value. Some things
don't have a cash value. Some impacts are more troublesome because of the time
involved. Likelihood would benefit enormously from using a quantitative method, but it's
not too common to see them mixed like that.
Impact is more complex, and can involve financial loss, reputation damage, operational
Risk appetite
Youre going to use your risk scale to analyse risks and to determine how youre going to
respond to identified risks. All organisations are happy to live with or accept a certain
level of risk. Events that are highly unlikely to happen or that, if they do happen, are
highly unlikely to disrupt the organisation, might be risks that management is prepared to
tolerate in other words, the sort of risk that management is not going to take action to
deal with.
The range of risks that management is prepared to tolerate falls within its risk appetite
and can be clearly identified on a risk assessment graph, as shown in the shaded area
below.
Risk Level Risk Level Risk Level Risk Level Risk Level
(high) 4 4 5 6 7 8
Risk Level Risk Level Risk Level Risk Level Risk Level
(medium) 3 3 4 5 6 7
Risk Level Risk Level Risk Level Risk Level Risk Level
(low) 2 2 3 4 5 6
Risk Level Risk Level Risk Level Risk Level Risk Level
(very low) 1 1 2 3 4 5
Impact
1 2 3 4 5
(very low) (low) (medium) (high) (very high)
Good risk assessment software tools will allow for both scenario- and asset-based risk
assessments, and their asset databases should therefore be compatible with and integral
to the risk assessment software.
Youre also going to want to import assets from a range of sources as well as directly
entering some specific asset data. Not only should a risk assessment tool support
data imports, it should enable you to deal with assets as part of a group, rather than
individually. This is because many assets e.g. laptops have similar characteristics to
other laptops, and face similar risks; rather than assessing risk laptop by laptop, it is more
efficient to apply a common set of risks to all the laptops within a specific laptop asset
group, both initially and in the future. Risk assessment tools that allow risks to be dealt
with in this way are ideal.
2. Identify risks
While this is a relatively straightforward activity, it is the most time-consuming part of the
whole risk assessment process. Typically, your lead risk assessor works with risk and/or
asset owners within the organisation to identify all the events that might compromise the
confidentiality, integrity and/or availability of each of the assets that is within the scope of
your ISMS, and, for each event, to analyse the risk and determine the likely impact on the
organisation.
Good risk assessment software should enable multiple users to work on a shared risk
3. Analyse risks
Risk analysis typically involves understanding how the risk might occur, which usually
requires you to identify a vulnerability in your asset and a threat that might exploit that
vulnerability. A vulnerability is something that is part of the asset, while a threat is external
to the asset. This level of analysis is essential if you are to make practical and cost-
effective decisions about how to respond to an identified risk. For instance, an unpatched
operating system will display multiple vulnerabilities, all of which could be exploited by
external (to the OS) threats such as hackers, disgruntled staff or even other applications.
Obviously, for each of the events you identify, you will want to be able to analyse the risk
and assess the likelihood of each threat exploiting each linked vulnerability.
Useful risk assessment software comes with built-in lists of threats and vulnerabilities,
usually with appropriate links already defined. This removes the need for you to invest
time and energy in building your own database of threats and vulnerabilities, and should
help accelerate and simplify the process of risk analysis. You should also be able to
analyse risks on the basis that your baseline security controls are in place and effective.
4. Evaluate risks
Your risk assessment software should automatically collect the results of your risk analysis,
calculate, for each risk, where it sits on your risk scale and, in particular, identify whether or
not the risk falls within or outside your predetermined level of acceptable risk. You should
very quickly be able to identify your highest risks and, therefore, to prioritise which risks to
address in what order.
Your risk assessment methodology should contain the formal criteria that enable these
decisions to be made consistently. Your risk assessment software should then, for all the
risks that you have decided to treat, provide a range of possible controls that could be
applied to reduce the likelihood and/or impact. Ideally, you would want access to the
controls listed in Annex A of ISO 27001, as well as those contained in other frameworks,
from the PCI DSS to NIST SP 800.
Once youve selected controls that will reduce identified risks to acceptable levels, you
want your risk assessment software to produce the two documents that are required
by ISO 27001 and in a format that will immediately meet those requirements: the
Statement of Applicability and the risk treatment plan.
Of course, you would also want dynamic links from within your risk assessment tool to
the exact documentation that deals with implementation of each control; even more
importantly, youre likely to want a management dashboard that tells you, at a glance,
where you are with your risk assessment and the status of identified risks.
2. You will find that you spend more time maintaining your risk assessment than you
invested setting it up, so it makes sense to lock-in future efficiencies at the outset. vsRisks
robust methodology means that upcoming risk reviews and further risk assessments can
be performed quickly, consistently and cost-effectively.
3. vsRisk has nearly ten years of development invested in it. It already incorporates
feedback and experience from hundreds and hundreds of ISO 27001 risk assessments,
and is supported by an ongoing investment and user support programme that regularly
brings additional useful functionality and features to help you continually improve your
own ISMS.
Drawing on years of experience developing and deploying risk management tools and
services, our product range eliminates the complexity of a cyber security implementation
project.
vsRisk, our flagship information security risk assessment tool, was introduced in April
2007 and has simplified and streamlined the information security risk assessment process
for hundreds of organisations globally.
Sign up now for a personal, one-to-one demonstration of this unique risk assessment
software.