Part 7 - Risk assessments determining appropriate controls to reach acceptable levels of risk
The next principle for an effective information security management system (ISMS) is to conduct risk assessments and then determine controls to reach an acceptable level of risk. The ISO 27001 standard is built around the philosophy of managing risk, and managing risks associated with information security involves a process.
One of the best processes for managing risk comes from the ISO 31000:2009 standard (ISO 31000:2009 Risk management— Principles and Guidelines). This process involves four steps:
- Determining the context of your business
- Conduct a risk assessment
- Treating the risks with some controls
- Communicate those controls to your staff and review them frequently.
The first step is to work out the context. This involves determining the objectives of your business, the scope of what you want to manage, identifying which interested parties are involved, and deciding on which risk evaluation process you will use. This list is a very useful way to work out the context, but it’s not exhaustive - to be rigorous I suggest that you purchase ISO 31000 to get a comprehensive understanding.
The next step is to conduct a risk assessment. Risk assessment can be split into three sub-processes:
- Risk identification
- Risk analysis
- Risk evaluation
The aim of risk identification is to “generate a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives.”
The risk analysis sub-process is where you develop a deep understanding of the risk. With deep understanding you can determine if the risks need to be treated.
The next sub-process is risk evaluation. This is where you determine the “level of risk”. Then you compare the level of risk with the risk criteria established when the context was considered (see step 1). If this level of risk is unacceptable then you need to work out some treatments and controls that if implemented, will reduce the level of risk to acceptable levels.
The next step is to implement treatments and controls that reduce the level of risk down to acceptable levels.
Once you have determined the controls you must them communicate them to your staff to make them aware of the risk and to ensure that they know what the treatment is.
Finally you need to continually review how effective the treatment is at keeping the risk at an acceptable level.
Let’s take a look at an example of how you do this. You determine the scope of your business and the objectives you want to achieve. You identify a malware attack as a risk to achieving your business objectives. You then analyse types of malware to gain a deep understanding on how they work, where they come from and what effect that will have on your business. [Note - Maersk estimates they lost $250 million from a malware attack in July 2017 - http://www.foxbusiness.com/features/2017/11/08/maersk-posts-loss-after-cyberattack-wsj.html]. Then you evaluate the risk of a malware attack against your chosen risk criteria to determine its “level of risk”. Let’s say that it is a high risk. Against your risk criteria a high risk is deemed unacceptable. So to reduce the risk to an acceptable level, you decide that anti-virus software will treat that risk. You then implement the anti-virus software across your business and make sure it continually updates. Once in place, you then audit the system to ensure the anti-virus software is operating effectively.
So this four step process is your best mechanism to ensure that your ISMS is effective.
View previous blogs in this series "ISO 27001 Information Security Management Standard":