IT GOVERNANCE | GREEN PAPER

Risk Assessment
and ISO 27001

September 2019

Protec Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 2

Introduction
ISO/IEC 27001:2013, the international standard that sets out the specification for a
best-practice information security management system (ISMS), takes a risk-based
approach to information security. It requires information security controls to be
selected based on regular risk assessments to ensure those controls are relevant to
the threats the organisation faces and are tailored to its risk appetite.

According to Clause 6.1.2 of the Standard, the risk assessment process must:

• Establish and maintain information security risk criteria, including risk

acceptance criteria based on the organisation’s risk appetite;
• Ensure that repeated risk assessments produce “consistent, valid and
comparable results”;
• “Identify risks associated with the loss of confidentiality, integrity and
availability for information within the scope of the information security
management system”;
• Identify the owners of those risks; and
• Analyse and evaluate information security risks according to the criteria set
earlier.

The organisation must also retain “documented information” about its risk
assessment process so that it can demonstrate compliance with these
requirements.

Conducting an ISO 27001-compliant information security risk assessment is a

complex process that requires considerable planning, specialist knowledge and
stakeholder buy-in to appropriately cover all people-, process- and technology-
based risks. Without suitable guidance, this process can only be worked out
through trial and error.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
Purpose
To properly understand information security risk assessments, you must first
understand their purpose.
Many corporate risk regimes are more of an ‘issue log’ where current topics are
discussed and dealt with as part of the organisation’s corporate governance regime,
and when issues are resolved, they are removed from the register.
Information security risk assessments follow a different approach. They are designed
to provide an accurate snapshot of the risks facing the organisation’s information and
information processing facilities. You can then use this information to select, design
and implement security controls balanced with the level of risk and the cost of the
control. It is fundamentally a process of managing risks rather than necessarily
eliminating them.
3
Context
Implementing an ISO 27001-compliant ISMS typically begins with identifying the
organisation’s context – its business and objectives, stakeholder needs, and legal,
regulatory and contractual obligations. The risk assessment process should follow
from this understanding, so the organisation can develop a security environment
suited to its situation.
It is difficult to account for every eventuality, industry type, business size and situation
in standards and laws, which means that security is fundamentally a moving target
that is different for each organisation. A bio-tech start-up, for example, will have
vastly different security requirements from those of an established corporation in the
defence industry.
Security is designed on a cost-benefit basis, so it is perfectly feasible to undertake the
risk assessment process and discover that you actually have ‘too much’ security. Your
overall cost of security could even decrease, as long as it still meets your
organisation’s needs and obligations.
For organisations pursuing certification to ISO 27001, it is important to recognise that
this is awarded for having a level of information security management appropriate to
the organisation, not for presenting the highest level of security control. Too much
security is as bad for business as too little.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
How to carry out an information security risk
assessment
ISO 27000:2018 – the standard that provides definitions for key vocabulary for the ISO
27000 family of standards – defines risk assessment as the “overall process of risk
identification, risk analysis and risk evaluation”. While this is a simple definition, the
process itself is slightly more involved.
There are five stages to an ISO 27001 information security risk assessment:
1. Establish a risk assessment framework
2. Identify risks
3. Analyse risks
4. Evaluate risks
5. Select risk management options
This is all delivered in the context of the organisation’s wider risk framework, and its
legal, regulatory and contractual environment and requirements.
The risk assessment process in ISO 27001 is supported by additional guidance in
ISO/IEC 27005:2018. It is worth bearing in mind, however, that ISO 27001 permits the
organisation to use any risk assessment methodology that meets a fairly simple set of
requirements, so it may be worth considering alternative sources of guidance, such as
BS 7799-3:2017, which includes a detailed discussion of different approaches to
information security risk management.
There are two broad types of risk assessment: asset-based and scenario-based. An
asset-based risk assessment examines the risk of harm to the organisation’s assets,
while a scenario-based assessment determines the harm resulting from given
scenarios. For most organisations new to formal risk management, an asset-based
assessment is likely to be more robust and simpler to approach for information
security.
4
1. Establish a risk assessment framework
The framework establishes the basis of the risk assessment, so it must take into
account the scope of the information security project, the organisation’s needs and
obligations, and the organisation’s attitude to risk.
These key elements will influence how the rest of the risk assessment is conducted. In
particular, the framework should describe the following:
• The organisation’s context
This includes the organisation’s legal, regulatory and contractual obligations, its
objectives both with regard to information security and business more widely,
and the needs and expectations of its stakeholders.
• Risk criteria
An agreed way of measuring risks, usually according to impact and likelihood.
These need to be clearly defined and widely understood so that any two risk
assessments produce comparable results. However, having defined likelihood
and impact criteria is only part of the story – the wider process needs to be
formalised in order to produce the necessary consistent, valid and comparable
results. The organisation must also establish criteria dictating when to conduct
risk assessments.
• Risk acceptance criteria
Each organisation will develop its own appetite for and tolerance of risk, which
will be informed by its context. The risk appetite can be used to define the risk
acceptance criteria – the level at which we can simply accept a risk without
needing to take any action.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 5

2. Identify risks Assets can be split into multiple types to ensure that all relevant assets are identified
and their owners defined. It is the asset identification process that ensures that
For an asset-based risk assessment, risk identification can be broken down into three everything of value to the organisation is identified and that information security goes
parts: assets, threats and vulnerabilities. ISO/IEC 27000:2018, Clause 3.6.1, Note 6 beyond just technological assets.
provides the explanation that “Information security risk is associated with the
potential that threats will exploit vulnerabilities of an information asset or group of Asset types to consider include:
information assets and thereby cause harm to an organization.” As such, risks cannot
exist without all of these components: • Information and data
Including both hard copy and digital records.
• An asset that has value and requires protection.
• A threat that can hurt it. • Hardware and software
• A vulnerability that allows the threat to reach the asset. IT assets and business applications, as well as mobile devices.

The first step of risk identification is to develop an asset register for the organisation’s • Physical locations and storage
information assets. Like other asset registers, this will contain key information about Sites and office-based stores.
each asset, including the assigned asset owners. It’s important to note that this does
• Systems and services
not (usually) refer to individual assets like a specific user’s desktop computer; rather,
Power, water, gas, lifts, telephony, etc.
it refers to logically associated classes such as ‘laptop’ or ‘mobile phone’.
• People and organisations
Staff, third parties, suppliers, etc.

• Intangibles
Brand, reputation, share price, etc.

Clearly, assets may have multiple threats, which can in turn exploit multiple
vulnerabilities. It is important to consult with asset owners to ensure that the risks
identified are relevant so they can be treated appropriately.

Where organisations may not have established asset owners in the first instance,
experience suggests taking a common-sense approach (like the HR manager owns the
staff assets, the facilities manager owns the physical assets, and so on).
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
3. Analyse risks
Once all risks have been identified, the next stage is to analyse them. For each risk you
identify, you should be able to assess the likelihood of each threat exploiting each
individual vulnerability and the harm that could occur, and assign them a score or
value, which are defined by the risk criteria. Risks are the product of business
consequence and probability, or impact and likelihood. This is where most risk
assessments differ in their methodology: scoring the risk.
It is also important to remember that this is an information security risk assessment,
so it is the harm to the confidentiality, integrity and/or availability of information (and
information processing facilities) that is of interest.
Generally speaking, an organisation must define impact and likelihood levels that are
relevant to the business. ISO 27001 and ISO 27005 do not state whether these levels
should be quantitative or qualitative, high to low, 1 to 5, 1 to 100, or otherwise. What
is important is that people understand the scoring in business terms, and that they are
consistently applied.
When deciding how to describe these levels of impact and likelihood, it is important
to avoid subjective terms like ‘high’ and ‘low’. Terms like this can be interpreted
differently by different people, so they can result in inconsistent risk assessments – of
course, you can still use these terms, but they should be backed up with clearly
defined parameters. As mentioned earlier, the risk criteria need to be clearly defined
and understood.
When risk owners say that they will accept a risk of, for example, 9, they must be
prepared to accept a business situation – such as ‘the loss of £100,000 every year’ –
rather than the less relevant ‘impact of 3, likelihood of 3’. In practice, there is often a
link between impact and threat, and vulnerability and likelihood, as similar threats
tend to have similar impacts on a business, and similar vulnerabilities produce similar
likelihoods.
6
Impact types could include human, financial, legal, regulatory, reputational and
operational.
Likelihood factors could include frequency of occurrence, previous occurrence,
current levels of security control, size of attack group and knowledge of vulnerability.
4. Evaluate risks
Once you have analysed your risks, you need to evaluate them against your risk
acceptance criteria. Only once you have done this can you decide the appropriate way
to treat each risk and the priorities for doing so.
It is particularly important to identify whether or not the risk falls within or outside
your risk acceptance criteria.
The risk analysis and evaluation are often presented in terms of a simple chart or
matrix that combines likelihood and impact, and is colour-coded to identify
acceptable risk, moderate risk and unacceptable risk. For instance:
Figure 1: Example likelihood-impact criteria table
5
4 C
Likelihood
3 A
2 B
1
1 2 3 4 5
Impact
In Figure 1, risk A falls within the risk acceptance criteria, while risks B and C do not, so
the organisation will need to make decisions about how to manage those risks.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
5. Select risk management options
Once all risks have been scored and ordered by priority, the next step is to decide how
to handle and manage them. The most common responses are:
• Modify the risk, normally by applying security controls that will reduce
likelihood and/or impact.
• Retain the risk – accept that it falls within previously established risk
acceptance criteria, or via extraordinary decisions.
• Avoid the activity or circumstance causing the risk, for example by not carrying
out the activity or by changing locations.
• Share the risk with a partner such as through insurance or by outsourcing to a
supplier that can better manage the risk.
The risk management option is typically selected based on the risk level determined
by analysing the likelihood and impact of the risk. So risk A in the example is
acceptable and can be retained, B should likely be modified to reduce either the
likelihood or impact, and C might be best avoided as any other option will be too
costly. Of course, there may be no definite correlation between the likelihood and
impact of the risk and the cost of treating it. It is entirely likely that it is simpler to
avoid B and treat C simply because it is too costly to treat B.
7
In practice, ‘avoid’ is often not chosen as a response to risks for the simple reason that
the affected process or system simply cannot be terminated. This does not mean that
you cannot respond to the risk – you can (and likely should) apply controls to reduce
the risk.
ISO 27000 also suggests that the organisation might consider “taking or increasing risk
in order to pursue an opportunity”. This choice is relevant to ISO 27001, as one of the
definitions for risk that it uses states that a risk is “a deviation from the expected –
positive or negative”.
Equally, some risks might be accepted even if they fall outside the risk acceptance
criteria. For instance, if the risk is related to a critical business activity and cannot be
affordably treated. In such cases, the organisation would not be able to function
without accepting that there will be some residual risk.
ISO 27001 requires all risks to have an owner who will be responsible for approving
any risk treatment plans and accepting the level of residual risk. The person who owns
risk treatment activities may be different from the asset owner.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 8

Applying information security controls There will be at least 114 entries in your SoA – one for each Annex A control. The SoA
is a public document that external interested parties can request to see as it forms
part of the basis of certification. It should not contain information that you do not
Where there is a need to modify a risk, you need to determine what control (or
want the outside world to see (links to internal documents, information about how
controls) will be needed to bring it into an acceptable level.
you have implemented a control, and so on). You might develop an ‘internal only’
version of the document that includes extra information about each control and links
While you can design your own controls or select them from any standard or scheme,
to relevant documentation.
Annex A of ISO 27001 provides a set of 114 controls across 14 distinct domains, all
based on best practice. Once you have determined what controls you think are
A risk assessment report can be very long, so an SoA is a very useful document for
necessary, you are required to review your selection against the Annex A controls to
everyday operational use – a simple demonstration that controls have been
ensure you have not omitted anything.
implemented and a useful link to the relevant policies, processes, and other
documentation and systems that have been applied to treat each identified risk.
The controls in Annex A are neither mandatory nor exhaustive. This means that
Think of it as an index to your ISMS.
organisations with differing risks will apply these controls in different ways or to
different levels.
Organisations often misunderstand the nature of information security management,
thinking that implementing these 114 controls will mean they are ‘100% secure’.
Although ISO 27001 does not require you to use the Annex A controls exclusively, you
Nothing could be further from the truth.
do have to check the controls you select from elsewhere against those in Annex A to
confirm that you have considered a broad range of best-practice controls.
Applying the process
Having selected your controls, you need to produce a Statement of Applicability (SoA).
This is one of the most important ISO 27001 documents because, along with your ISO 27001 sets out a broad outline of the process your organisation should follow, but
scope statement, it provides internal and external stakeholders with high-level not the actual practice. Each organisation should design, implement and operate a
information regarding what information security controls you have selected and process suited to their needs that also meets the requirements of ISO 27001.
which of these are actually implemented. It should:

• Describe the controls you selected to address the risks you identified; This is, of course, a large project, and many organisations will seek out tools and
services to ease their way through it.
• Explain why you selected them;
• State whether or not they have been implemented; and
• Explain why any ISO 27001 Annex A controls have been omitted.
Speak to an expert
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
Useful risk management resources
ISO/IEC 27005:2018 Standard
ISO/IEC 27005:2018 is the international standard
that provides guidelines for information security
risk management, and is applicable to all types of
organisations.
vsRisk
Simplify and speed up the ISO 27001 risk
assessment process with vsRisk, a Cloud-based
information security risk assessment tool
developed by industry-leading experts that helps
you produce accurate, auditable and hassle-free
risk assessments year after year.
Certified ISO 27005 ISMS Risk Management
Training Course
Learn how to conduct an information security risk
assessment from start to finish with this
specialist-led three-day course, covering practical
risk management methodologies, including ISO
27005 and other risk management techniques.
9
Information Security Risk Management for
ISO 27001/ISO 27002
This book provides practical guidance on
implementing an ISO 27001-compliant
information security and risk management system,
covering risk assessment methodologies, risk
treatment and the selection of controls, and more.
Vulnerability Scan
This service will conduct a fast, fully automated
external vulnerability scan of your Internet-facing
IT assets, helping you quickly identify
vulnerabilities in your websites, applications and
infrastructure, so you can take swift action to
mitigate them before criminals exploit them.
Managing Cyber Security Risk Training Course
Drawing on real-life case studies, this practical
three-day course is designed to help practitioners
formulate plans and strategies for improving
cyber security risk management in their
organisation. Learn in a classroom, or train
without travel in our instructor-led online course.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 10
10

Other papers you may be interested in

IT GOVERNANCE | GREEN PAPER IT GOVERNANCE | GREEN PAPER

Implementing an ISMS ISMS Measurement

The nine-step approach Metrics made easy

Protect Comply Thrive Protect Comply Thrive

Implementing an ISMS – The nine-step approach ISMS Measurement – Metrics made easy 
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
IT Governance solutions
IT Governance is your one-stop shop for cyber security and IT governance, risk
management and compliance (GRC) information, books, tools, training and
consultancy.
Our products and services are designed to work harmoniously together so you can
benefit from them individually or use different elements to build something bigger
and better.
Books
We sell sought-after publications covering all areas of corporate and IT governance.
Our publishing team also manages a growing collection of titles that provide practical
advice for staff taking part in IT governance projects, suitable for all levels of
knowledge, responsibility and experience.
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help organisations adapt quickly
and adopt best practice using customisable template policies, procedures, forms and
records.
Visit www.itgovernance.co.uk/documentation-toolkits to view our toolkits.
11
11
Training
We offer training courses from staff awareness and foundation courses, through to
advanced programmes for IT practitioners and certified lead implementers and
auditors.
Our training team organises and runs in-house and public training courses all year
round, as well as instructor-led and self-paced online training courses, covering a
growing number of IT GRC topics.
Visit www.itgovernance.co.uk/training for more information.
Consultancy
We are an acknowledged world leader in our field. Our experienced consultants, with
multi-sector and multi-standard knowledge and experience, can help you accelerate
your IT GRC projects.
Visit www.itgovernance.co.uk/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk and compliance management straightforward
and affordable for all, enabling organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.co.uk/shop/category/software for more information.
 IT Governance is the one-stop shop for cyber security, cyber risk
and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training or software.

t: +44 (0)333 800 7000

e: servicecentre@itgovernance.co.uk
w: www.itgovernance.co.uk

A GRC International Group plc subsidiary

Unit 3, Clive Court, Bartholomew’s Walk

Cambridgeshire Business Park, Ely
Cambs., CB7 4EA, United Kingdom

IT Governance Ltd

@ITGovernance

/it-governance

/ITGovernanceLtd

© 2003–2020 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification