ISO 27001 & BS 25999

There is a huge amount of information about information security on the Internet, so it is really difficult to stay informed about really relevant stuff. This is why I made this list – I wanted to offer a list of independent, expertly written and up-to-date blogs that will keep you right on track.

The blogs are listed alphabetically:

Information Security Blog by Anton Chuvakin

Security topics including SIEM, log management, compliance, vulnerability management and cloud security.

IT Security Blog by Mark Brooks

This blog focuses on strategies and information security programs that protect high value information assets such as intellectual property, trade secrets, and privacy data.

Krebs on Security by Brian Krebs

This blog features posts on a number of recurring themes, including online crime investigations, latest threats, security updates, data breaches, and cyber justice.

Lenny Zeltser on Information Security

Presents a unique perspective on information security, based on  the author’s broad experience in IT, business and malware combat. The blog presents several infosec topics, including incident response, malicious software and risk management.

Mind Streams of Information Security Knowledge by Dancho Danchev

This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude. The blog offers access to timely, insightful and independent open-source intelligence (OSINT) analyses for maintaining the necessary situational awareness to stay on top of emerging security threats.

Network Security Blog by Martin McKeay

Views on security, privacy and anything else that catches author’s attention.

Privacy and Information Security Law Blog

This blog covers important aspects of information security rarely covered in other blogs – privacy and information security law updates and analysis.

Schneier on Security by Bruce Schneier

A blog covering security and security technology – the author explains, debunks, and draws lessons from security stories that make the news.

Security Affairs by Pierluigi Paganini

This daily updated blog is focused on all the areas in the security sphere. Its target is to make security a theme accessible to professionals and laymen alike, with an objective judgment on the main security events with specific attention to the subjects of cyber warfare, cyber crime and hacking.

TaoSecurity by Richard Bejtlich

TaoSecurity blog is one of the original security blogs – it will soon be ten years old. It focuses on incident detection and response for targeted threats, with emphasis on Chinese intruders.

And by the way, Security Bloggers Network offers links to over 100 various information security blogs.

I noticed that many people running ISO 27001 projects who have downloaded documentation templates think “I have the templates now – the rest is easy. I’ll write a few documents, show them to auditor, and it’ll be over in a few days”.

Unfortunately, it’s not that easy. Here’s why:

1. Writing the documentation requires time and effort

You shouldn’t write the documents just for the auditor to read them – you should write them because you want to define some rules for your organization.

But if you want your documentation to be useful, you have to adapt it to the realistic needs of your company. It probably doesn’t make sense to create a rule to change passwords every month, but it might make sense to change it every 3 or every 6 months – so you have to find out what is appropriate for your level or risks and for your organization.

Further, some documents are rather complex, and require certain knowledge to write them – for example, to perform the risk assessment first you need to write the Risk assessment methodology. If such a methodology is not suited for your organization, your employees doing the risk assessment may end up spending an enormous amount of time, to eventually realize that you could have done it in a much quicker and more efficient way. On the other hand, you may choose to take shortcuts, and by doing so omit some of the requirements of ISO 27001 with the result of failure at the certification.

So you need to invest time and effort in your education, and in the analysis of your company.

2. Documentation without implementation is nothing

Once you finish writing, you realize the documentation doesn’t make any sense if those rules are not really applied in your organization. In other words, having perfect documents alone isn’t going to raise your level of security.

But the problem is – if you want to implement new rules, you have to change habits in your organization. And changing habits isn’t easy, especially if it means restricting the freedom that employees enjoyed until now (and this is what security rules usually do). Taking again the example of password policy – if no such rule existed before and suddenly you ask your employees to change passwords every 3 months, they certainly won’t be happy. Moreover, they will look for ways to avoid such a rule.

So, besides making sure this rules makes sense from a security point of view, you have to explain to your employees why it is necessary, and in case of some more complex rules you will have to explain how to do it. These are called awareness and training programs, without which you will have high chances that your employees will simply reject such a change. And these programs also require time and effort.

3. Maintenance is often neglected

Most of the companies that have completed the documentation and implemented all the rules and processes, start forgetting about the documentation – new issues keep occurring that change how things are done, but that fact is not reflected in documentation. As a consequence, more and more people notice that documents are not useable anymore, and this in turn results in less and less people adhering to them.

This happens if no one is in charge of documentation maintenance – good practice says that for each document an ‘owner’ should be designated, a person who is responsible for keeping it up-to-date. But again – this requires time and effort.

Therefore, purchasing your documentation templates is not the end of your information security journey – it is just the beginning.

You can also check out our series of video tutorials for ISO 27001 implementation which explain how to fill in the documentation templates (commercially sold videos).

Peter Drucker (one of the most influential thinkers on the subject of management theory) said “What gets measured gets managed”. The same goes for information security – if you don’t know how well you are doing, you’ll have a very difficult time steering your information security in the desired direction.

And it is exactly this ‘desired direction’ that is an essential part of measurement – setting the objectives. Only if you know exactly what you want to achieve, will you be able to know how far or how close you are to actually achieving it. Equally important – you’ll be able to answer your management’s question: “Did our investment in security pay off?”

Measurement in ISO 27001

Those of you who know the philosophy of ISO 27001 know that the so called PDCA management cycle (Plan-Do-Check-Act) is the foundation of this standard.

The concept of measurement is also best explained through this PDCA cycle:

• In the Plan phase you need to set the objectives (ISO 27001 4.2.1 b 1) and 4.2.1 g),
• In the Do phase you must figure out how to measure up to which point your objectives are achieved (ISO 27001 4.2.2 d),
• In the Check phase you need to start actual measurement (ISO 27001 4.2.3 c), and finally
• In the Act phase, once you realized you haven’t achieved your objectives (which is very often the case), you need to make certain improvements (ISO 27001 4.2.4 d)

And ISO 27001 requires at least two different levels of objectives to be set:

1. Objectives for the whole Information Security Management System (ISMS) – ISO 27001 4.2.1 b) 1), and
2. Objectives for each security control (safeguard) – ISO 27001 4.2.1 g)

Of course, depending on the size and complexity of your organization, you can choose to add another layer of objectives – e.g. at the level of individual organizational units (departments, etc.)

How to set (measurable) security objectives

My clients always ask me “OK, but how can I measure my backup, or my firewall?”. The secret lies in setting objectives which are easy to measure – you might have heard of the S.M.A.R.T. concept: objectives need to be Specific, Measurable, Achievable, Relevant, and Time-based.

So, what would it look like for the firewall? Something like ‘We want our firewall to stop 100% of unwanted network traffic’. Is it measurable? Yes – you will find out, sooner or later, whether some unwanted traffic has passed through the firewall.

Another example – backup. The objective could be ‘We want to achieve our loss of data is maximum 6 hours.’ Measurable? Yes – and you don’t have to wait for data loss to happen, you can test your backup and see how much of the data you can restore.

An example of the objective for the whole ISMS could be ‘We want to decrease the number of information security incidents by 50% in the next year’. Again, pretty specific and therefore measurable.

Objectives should help you manage your security…

Setting the objectives and measuring them is a rather new and unexplored aspect of information security. It is very often considered as an overhead because of the lack of knowledge in the first place, not so much because of practical reasons.

But nowadays there is more and more literature on this topic (ISO 27004 standard being one of the best sources) and an increasing number of information security practitioners with experience in this field, so measurement is slowly making its way into information security mainstream.

To finish this post with another quote – “If you don’t know where you’re going, you’ll probably end up somewhere else.” Don’t let that happen to you.

You can also check out our webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security? (commercially sold training).

Very often when I deliver free webinars on the topic of ISO 27001 certification, I notice that quite many people expect help with their personal certification related to ISO 27001 while the webinar is focused on certification of organizations.

This kind of misunderstanding is not entirely unexpected since many certifications in the security domain (e.g. CISSP, CISA, CISM) are focused on the certification of persons, and have nothing to do with organizations.

So, is ISO 27001 certification intended for organizations or persons? Actually, both.

Certification of organizations

ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: companies (or any other type of organization) develop their Information Security Management System (ISMS) which consists of policies, procedures, people, technology, etc. and then invite a certification body to check our whether their ISMS is compliant with the standard – this check is done during the so-called certification audit.

If the certification audit is successful, the certification body will issue a certificate which will state that the organization in question is compliant with ISO 27001.

In this case the employees working at that organization are not certified, although it has been confirmed they behave according to the standard. To read more about certification of organizations read this article Becoming ISO 27001 certified – How to prepare for certification audit.

Certification of persons

However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that if there are no qualified employees who would develop and maintain the management system, the whole concept would fail.

Therefore, very much like ISO 9001, ISO 14001 and other management standards, various trainings have been developed for individuals that need to get education for ISO 27001. There are now dozens of different trainings for individuals lasting from a few hours to a few weeks – for an overview read this article: How to learn about ISO 27001 and BS 25999-2. The most recognized trainings are ISO 27001 Lead Auditor Course and ISO 27001 Lead Implementer Course, but only for the former an internationally recognized certificate is issued (under the accreditation of institutions like IRCA or RABQSA).

This way the individuals that attend the training and pass the exam obtain the certificate that is issued to their name. But even if all the employees at a company were certified, this still doesn’t mean that the company itself would get the certificate – there is quite a big difference between certification of persons and organizations.

So ISO 27001 does offer various possibilities for certification, unlike any other standard in the security domain. The best, of course, would be to pursue both certifications – certify your personnel so that they can help your organization develop and maintain an adequate level of security, and certify your company so that the training of the individuals is done systematically and according to realistic security needs.

You can also check out our series of ISO 27001 webinars that will teach you the basics of ISO 27001.

Many readers of this blog asked me to present a real-life experience of ISO 27001 implementation in a company. Since I would be too subjective if I started writing my own impressions, I decided to interview my clients – Dragomir Perica and Ivancica Ljubic from Dabar informatika d.o.o., a company specialized in banking software development, with presence in South East Europe.

Q: Why did you start the ISO 27001 project?

A: The first reason is because the Croatian National Bank (regulator of the banking market) required us to do it – to comply with the best security standards. The second reason is that we wanted to do it because it makes perfect sense in our case – we wanted to brush up things in our company. For example, among other things, we are promoting security features to our clients, so it is important for us to act in the same fashion; besides, our IT personnel needs to perform a lot of tasks, so it is important to define rules to avoid the situations where big problems could occur.

Q: What were you most afraid of when you started the project?

A: How much time  it would take, how much the existing system would be useable, and overhead. Regarding the time, we were afraid of how much time our team would need to invest in such an implementation, and how much time we (the top management) would need to spend on it. We were also afraid of the gaps we would find between what we have already developed against what the standard requires. Maybe the greatest concern was that the standard requires quite a few documents, so the challenge was how to align those documents with our way of doing business, without getting new and unnecessary tasks – we had this negative experience with ISO 9001 implementation, where we had to write some documents because of the standard itself, with no practical use.

Q: So did ISO 27001 bring you the overhead?

A: No, or to be more precise – the overhead is considerably lower than with ISO 9001. In the case of ISO 27001 we have managed to avoid it because we have set the processes and the documentation in a useful way.

Q: What were the greatest problems in the ISO 27001 implementation?

A: Not knowing the scope of what ISO 27001 really requires – what we were expected to do; or in other words – we didn’t know whether we were going to build a skyscraper, or a small family house. We also didn’t expect the theoretical approach required for the risk assessment, we lost quite a lot of time on it – until then we always dealt with the practical things, we never had to consider security on a conceptual level. As a consequence, in the beginning we didn’t do the risk assessment right.

Q: Why didn’t the risk assessment start well?

A: Not to go into details, let’s just say that we (the top management) didn’t pay enough attention to it – obviously, such a process couldn’t be done without our direct involvement because we were the only ones with a broader picture of the company, and we could make some crucial decisions.

Actually, we feel the whole project started moving much more smoothly after we started investing more time into it. Besides, during the project we understood that it really doesn’t make sense to skip the steps you suggested to us – e.g. it doesn’t make sense to implement controls before the risk assessment is done properly. We realized this after we skipped some steps and lost sight of the process.

Q: Do you think it would be better to let a consultant write the whole documentation, or should the company’s employees run the project and write the documentation themselves?

A: An outsider – a consultant or anyone else – cannot do it. Because then such documentation would be only superficial and we would never start living with it. Someone from the outside cannot know precisely how things work in a company, what is good and what is bad.

Although, since we had no experience in such a project, we wouldn’t be able to finish it without outside help – we liked your approach where you were guiding us through all the steps, and it was us who managed the project and the documentation. It was a good experience to have someone with a fresh eye to help us fill in all the gaps.

Q: What was the greatest surprise in the project?

A: Actually, there was none – we knew we had to formalize our system and that is what we have done.

Q: Which part of the project required the largest investment?

A: Involvement of the top management. We had to invest some time into this project, which means we had to postpone some other activities; on the other hand, if we hadn’t  got involved, the project would have lasted much longer and therefore the cost would have been even higher. The investment in an alternative/backup location would have been the greatest, but since we already did it 2 years ago, almost no new equipment was needed for this project.

Q: What is your greatest challenge now that the implementation project is finished?

A: Having to live with this system. For example, we have 5 new young employees, who have no experience in security – we have to teach them to operate according to the standard. And that is difficult – it is much easier to explain it to someone with 20 years of experience, but when young people need to start working with all these documents, it is a great challenge that they do not experience it as a prison sentence.

Q: How to achieve that?

A: Continuing training. They will eventually become very good – after 6 months they will know it as well, if not better, than people who have worked with these documents for 15 years. They will learn how to work properly, but it takes quite a lot of time.

Q: When you draw the line, do you think ISO 27001 implementation has paid off?

A: Definitely. It has paid off because we found our own mistakes and corrected them. We are now much more satisfied with ourselves and with the work we do. Also, we have regular audits from our clients (banks) – when they come, we have nothing to be afraid of. A real stress relief.

You can also check out our ISO 27001 Online Mentoring (commercially sold online service).

Many people think that just by attending the ISO 27001 Lead Auditor Course they have become the ISO 27001 Lead Auditor. Well, this is not entirely true.

This article will show the steps you need to take if you want to work as an auditor for a certification body. If you want to work as an internal auditor, you basically do not need the Lead Auditor Course or anything else mentioned here – you can perform internal audits by just proving you have enough experience and knowledge. To learn more about internal audits read this article Dilemmas with ISO 27001 & BS 25999-2 internal auditors.

Steps for becoming the ISO 27001 Lead Auditor

So, if you want to become lead auditor, here is what ISO 27006 (standard that defines the requirements for certification bodies) requires:

1. Prior experience – You need to have at least four years of experience in information technology, of which at least two years on a job related to information security.
2. Pass the exam – The ISO 27001 Lead Auditor Course lasts 5 days, and on the fifth day you need to pass the written exam. Therefore, you need to invest considerable effort, not only by studying for the exam but also for attending the full 5 days of the course (if you miss a single day you will not be permitted to take the exam).
3. Find a certification body – You need to find a certification body which needs an ISO 27001 certification auditor – that may prove to be a difficult task, since most of the certification bodies already have their auditors.
4. Go through training – When you find the certification body which is interested, this doesn’t mean you’ll start auditing tomorrow – ISO 27006 requires you to go through a trainee program (or similar) during which you will attend real certification audits (done by more experienced colleagues) where you will learn how to perform such audits. Usually, this trainee period lasts 20 audit days after which you’ll be entitled to perform ISMS audits as part of the audit team.
5. Gain audit experience – To become the ISO 27001 Lead Auditor, i.e. to lead a team of auditors performing ISO 27001 audit, you need to have experience in at least three complete ISMS audits.

After you finish all these steps, you will be able to perform the ISMS audits as the team leader. So, the ISO 27001 Lead Auditor Course is just the beginning of your journey…

You can also check out our ISO 27001 Lead Auditor Course preparation training – a webinar which describes the details of the course and helps you prepare for the exam (commercially sold online training).

Term ‘residual risk’ is mandatory in the risk management process according to ISO 27001, but is unfortunately very often used without appreciating the real meaning of the concept.

What is residual risk?

According to ISO 27001, residual risk is “the risk remaining after risk treatment”.

Here is how it works: first you have to identify the risks, and then you need to mitigate the risks you find unacceptable (i.e. treat them). Once you treat the risks, you won’t completely eliminate all the risks because it is simply not possible – therefore, some risks will remain at a certain level, and this is what residual risks are. The point is, the organization needs to know exactly whether the planned treatment is enough or not.

Residual risks are usually assessed in the same way as you perform the initial risk assessment – you use the same methodology, the same assessment scales, etc. What is different is that you need to take into account the influence of controls (and other mitigation methods), so the likelihood of an incident is usually decreased and sometimes even the impact is smaller.

For more information about the risk management process read ISO 27001 risk assessment & treatment – 6 basic steps.

How is it related to acceptable level of risk?

I mentioned that the purpose of residual risks is to find out whether the planned treatment is sufficient – the question is, how would you know what is sufficient? This is where the concept of acceptable level of risks comes into play – it is nothing else but deciding how much ‘risk appetite’ an organization has, or in other words whether the management thinks it is fine for a company to operate in a high-risk environment where it is much more likely that something will happen, or the management wants a higher level of security involving a lower level of risk.

Both approaches are allowed in ISO 27001 – each organization has to decide what is appropriate for its circumstances (and for its budget). The former approach is probably better for high-growth startup companies, while the letter is usually pursued by financial organizations.

Residual risk management

Once you find out what residual risks are, what do you do with them? Basically, you have these three options:

1. If the level of risks is below the acceptable level of risk, then you do nothing – the management needs to formally accept those risks.
2. If the level of risks is above the acceptable level of risk, then you need to find out some new (and better) ways to mitigate those risks – that also means you’ll need to reassess the residual risks.
3. If the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, than you need to propose to the management to accept these high risks.

Such a systematic way ensures that management is involved in reaching the most important decisions, and that nothing is overlooked.

So the point is – top management needs to know which risks their company will face even after various mitigation methods have been applied. After all, top management is not only responsible for the bottom line of the company, but also for its viability.

You can also check out our Risk Assessment and Treatment Methodology which describes how to set an acceptable level of risk and how to manage residual risks (commercially sold document template).

They are both essential elements of business continuity, and they sound quite similar. But their purpose is quite different.

What is RTO?

So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”.

This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred.

RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA.

What is RPO?

Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job?

This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much.

So, what’s the difference?

The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.

But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster.

You can also check out our Business Impact Analysis Questionnaire which describes how to gather all information necessary for RTO and RPO (commercially sold document template).

I’ve met quite a few companies considering how to start their ISO 27001 / BS 25999 project, with quite different approaches – some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only.

They are both wrong.

Road map for ISO 27001 / BS 25999 implementation

There is one thing you definitely need for the implementation – knowledge. By knowledge I mean the know-how of the implementation process, so that you don’t get stuck and  waste time on irrelevant issues, while forgetting the important ones. What you need are the guidelines for implementation, as well as knowledge on how to implement all the pieces of the puzzle.

This is why it isn’t possible to implement these standards with just your existing knowledge base, and it is very rare to find companies who already have experienced ISO 27001 / BS 25999 implementers.

Of course, one way to get around this is to hire a consultant. But this is not the only way – I’ll address that later.

Hiring an ISO 27001 / BS 25999 consultant – pro’s and con’s

The biggest benefit of a consultant is that he/she is going to get you through the implementation process much quicker than if you did it on your own (provided that the consultant has sufficient knowledge). A consultant should provide you with tips & tricks for each step in the implementation process, check the documentation, train your employees, etc. He/she could also run interviews with your employees, write the documentation, and process the results (e.g. during risk assessment).

A major drawback of hiring a consultant is that most small (but also medium-sized) organizations cannot afford one – consultants tend to charge large fees and cannot guarantee the successful implementation. Besides, the more work is done by a consultant, the less will be done by your employees, therefore less knowledge and skills will be passed on to your organization.

Then there is also the issue of confidentiality – the consultant will learn everything you do from the inside (including your vulnerabilities and controls that are in place), so if you didn’t check this person thoroughly, he/she could become quite a significant threat.

Finally, there is the question of quality – too many times I met “experts” who claimed they implemented these standards many times, but didn’t know e.g. how to run the risk assessment; or what is the purpose of business impact analysis.

Implementation without a consultant

Consultants are not the only source of knowledge – you can also choose the option to implement the standards with your employees by providing them appropriate training and support.

Here are some ideas on how to obtain the knowledge:

• Send your employees to trainings – read How to learn about ISO 27001 and BS 25999-2 for more info
• Get the best practices through documentation templates
• Purchase the literature – there are various books and other publications available on the Internet

If you start implementing the standards on your own, it is probably going to take longer than if you did it with a consultant. But, it is going to be cheaper, and most probably your employees will learn better what certification entails, and what their responsibilities will be – because they will be forced to consider every step very carefully.

So, the answer to the initial question is: no – a consultant is not mandatory for your implementation (although quite often it is the best solution). However, the implementation knowledge is mandatory – without it, don’t expect to finish your ISO 27001 / BS 25999 project soon, if at all.

You can also check out our online mentoring service called Guidance & Review (commercial service).

Risk assessment (often called risk analysis) is probably the most complex part of ISO 27001 implementation; but at the same time risk assessment (and treatment) is the most important step at the beginning of your information security project – it sets the foundations for information security in your company.

The question is – why is it so important? The answer is quite simple although not understood by many people: the main philosophy of ISO 27001 is to find out which incidents could occur (i.e. assess the risks) and then find the most appropriate ways to avoid such incidents (i.e. treat the risks). Not only this, you also have to assess the importance of each risk so that you can focus on the most important ones.

Although risk assessment and treatment (together: risk management) is a complex job, it is very often unnecessarily mystified. These 6 basic steps will shed light on what you have to do:

1. Risk assessment methodology

This is the first step on your voyage through risk management. You need to define rules on how you are going to perform the risk management because you want your whole organization to do it the same way – the biggest problem with risk assessment happens if different parts of the organization perform it in a different way. Therefore, you need to define whether you want qualitative or quantitative risk assessment, which scales you will use for qualitative assessment, what will be the acceptable level of risk, etc.

2. Risk assessment implementation

Once you know the rules, you can start finding out which potential problems could happen to you – you need to list all your assets, then threats and vulnerabilities related to those assets, assess the impact and likelihood for each combination of assets/threats/vulnerabilities and finally calculate the level of risk.

In my experience, companies are usually aware of only 30% of their risks. Therefore, you’ll probably find this kind of exercise quite revealing – when you are finished you’ll start to appreciate the effort you’ve made.

3. Risk treatment implementation

Of course, not all risks are created equal – you have to focus on the most important ones, so-called ‘unacceptable risks’.

There are four options you can choose from to mitigate each unacceptable risk:

1. Apply security controls from Annex A to decrease the risks – see this article ISO 27001 Annex A controls.
2. Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
3. Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
4. Accept the risk – if, for instance, the cost for mitigating that risk would be higher that the damage itself.

This is where you need to get creative – how to decrease the risks with minimum investment. It would be the easiest if your budget was unlimited, but that is never going to happen. And I must tell you that unfortunately your management is right – it is possible to achieve the same result with less money – you only need to figure out how.

4. ISMS Risk Assessment Report

Unlike previous steps, this one is quite boring – you need to document everything you’ve done so far. Not only for the auditors, but you may want to check yourself these results in a year or two.

5. Statement of Applicability

This document actually shows the security profile of your company – based on the results of the risk treatment you need to list all the controls you have implemented, why you have implemented them and how. This document is also very important because the certification auditor will use it as the main guideline for the audit.

For details about this document, see article The importance of Statement of Applicability for ISO 27001.

6. Risk Treatment Plan

This is the step where you have to move from theory to practice. Let’s be frank – all up to now this whole risk management job was purely theoretical, but now it’s time to show some concrete results.

This is the purpose of Risk Treatment Plan – to define exactly who is going to implement each control, in which timeframe, with which budget, etc. I would prefer to call this document  ’Implementation Plan’ or ‘Action Plan’, but let’s stick to the terminology used in ISO 27001.

Once you’ve written this document, it is crucial to get your management approval because it will take considerable time and effort (and money) to implement all the controls that you have planned here. And without their commitment you won’t get any of these.

And this is it – you’ve started your journey from not knowing how to setup your information security all the way to having a very clear picture of what you need to implement. The point is – ISO 27001 forces you to make this journey in a systematic way.

P.S. ISO 27005 – how can it help you?

ISO/IEC 27005 is a standard dedicated solely to information security risk management – it is very helpful if you want to get a deeper insight into information security risk assessment and treatment – that is, if you want to work as a consultant or perhaps as an information security / risk manager on a permanent basis. However, if you’re just looking to do risk assessment once a year, that standard is probably not necessary for you.

You can also check out our Risk Assessment And Treatment Methodology (commercially sold document template).