Understanding the risks in your organisation is a key part of being able to effectively manage it and its part of the reason that the ISO management systems now take a risk-based approach to things. ISO27001:2015 is no different to the other standards in that respect, if you want to have an effective Information Security Management System (ISMS) then it's important to understand into the risks to your organisation around information Security using a structured risk assessment and to determine what controls you need to put in place for those identified risks.
The Risk Process
Step 1: Determine the context of the Organisation
Step 2: Carry out a Risk Assessment
Step 3: Treat the Identified Risks with Controls
Step 4: Communicate the Risk & Controls to your organisation and review them on a regular basis.
Surrounding all of this is the idea of continuous improvement, think of the PDCA (Plan, Do, Check, Adjust) loop so it's good to think about the process in terms of this diagram like that shown oppositeUnderstanding the steps of Risk Process
Rather than just leave it at some headlines and say ok that's risk in your system we thought it would be helpful to explain a little more about them, we are using ISO31000:2018 Section 6.3-6.7 in this explanation.
Step 1: Understand the Context
This is about understanding your business and determining the scope of what you fell you want to manage. This is going to be different for all organisations, there isn't a cookie cutter approach to this. The items that you determine should be part of your ISO27001 Information Security Management System are entirely up to you. As part of that scope you should identify who the interested parties are, in much the same way as you do in ISO9001, these may be clients, staff, customers, suppliers, government agencies, the general public neighbouring organisations, the list goes on and on, you need to think about those things when understanding the context of your organisation, Think about it as understanding how your company fits into the bigger picture and who you touch with your business.
Step 2 Conduct A Risk Assessment
We were very deliberate with the wording of this section, it's a single risk assessment, not multiple, you are looking to build 1 single risk register for all your Information Security Risks, keeping at 1 document makes life easier later. There are essentially 3 sections to the Risk assessment process:
I. Risk Identification
The identification of risks is about creating a comprehensive list of the risks that are appropriate for your organisation with respect to information security. Remember that information isn't limited to IT systems, it's all information, it could be on a white board, a bit of paper, in people's heads or even a napkin! ISO31000 says that the purpose of identifying risk is to "find, recognise and describe risks that might help or prevent an organisation achieving its objectives", that's quite a broad area to think about.
II. Risk Analysis
The key word here is Analysis, you are looking to genuinely understand the risks that you have identified, are they big ones, small ones, are they real or just there because someone has heard them in another organisation. We are looking to get a really deep understanding of the uncertainties around the risks, the sources, how likely are to actually occur and in what scenarios they are most commonly found. For example, me winning the lottery and taking up a life of leisure or relaxing at the beach and taking photos around the world is a risk to my business, this only becomes a real risk when I buy a ticket for the lottery, which like most of the country I only do when it gets over a certain amount, the likelihood of me actually winning the lottery are apparently one in 13,983,816 so you would say the risk is pretty small.
As part of the analysis you really do need to think about what the impact of the risk coming to fruition is, in our example above the company may close and my intake of fruit punch and quality of camera gear would increase.
III. Risk Evaluation
Risk Evaluation is about reviewing your analysis with a set of pre-established risk criteria, think of your risk matrix here. Based on where your risk falls in that matrix will determine what steps you take next. In our example it's going to fall into the it's highlight unlikely category and we'll worry about it if it ever happens approach. It's fair to say that the vast majority of your risks in your Information Security management System are not going to fall into a category like this!
Step 3 – Treat your Risks with Controls
This step in your ISO27001 ISMS process is about picking and implementing the right options for addressing the risks that you have identified, it may well be an interactive process of coming up with treatment options, implementing them, reviewing the effectiveness and then trying to improve them (it's another PDCA Loop!). The aim of course is to reduce the risk, so if your risk item started out at say 25 (really high) on your risk matrix you may be happy getting it down to say a 15 (medium) or a 10 (medium low).
Step 4 – Communicate and Review
These are critical steps in your process, once you have decided what the treatment / controls are, you need to tell people about them, you need to ensure that the training is in place so that they can be effective and not just something you wrote down.
To ensure that things do actually work as designed you need to carry out reviews of your controls and ensure that they work as designed. The frequency of these reviews of your ISO27001 system are determined by you on (you guessed it) a risk based approach, high risk items would be reviewed more often than low ones for example, you should document your review frequency criteria so it can be understood.
Summary
Understanding the risks in your information security management system for ISO27001 is important, however even if you don't go for ISO27001 certification using this approach and following an ISO31000 structure will help effectively manage risks in all areas of your organisation.