ISO 27001 & ISO 22301

I have seen quite a lot of smaller companies (up to 50 employees) trying to apply risk assessment tools as part of their ISO 27001 implementation project. The result is that it usually takes too much time and money with too little effect.

First of all, what is actually risk assessment, and what is its purpose? Risk assessment is a process during which an organization should identify information security risks determining their likelihood and impact. Plainly speaking, the organization should recognize all the potential problems with their information, how likely they are to occur and what the consequences might be. The purpose of risk assessment is to find out which controls are needed in order to decrease the risk – selection of controls is called the risk treatment process, and in ISO 27001 they are chosen from Annex A which specifies 133 controls.

Risk assessment is carried out by identifying and evaluating assets, vulnerabilities and threats. An asset is anything that has value to the organization – hardware, software, people, infrastructure, data (in various forms and media), suppliers and partners, etc. A vulnerability is a weakness in an asset, process, control,etc., which could be exploited by a threat; a threat is any cause that can inflict damage on a system or organisation. An example of a vulnerability is the lack of anti-virus software; a related threat is the computer virus.

Knowing all this, if your organization is small, you don’t really need a sophisticated tool to perform the risk assessment. All you need are an Excel spreadsheet, good catalogues of vulnerabilities and threats, and a good risk assessment methodology. The main job is really to evaluate likelihood and impact, and that cannot be done by any tool – it is something your asset owners, with their knowledge of their assets, have to think about.

So, where do you get the catalogues and methodology? If you are using the services of a consultant, he/she should provide those; if not, there are a few free catalogues available on the Internet, you just have to do a search on Google. The methodology is not available for free, but you could use ISO 27005 standard (it describes risk assessment & treatment into detail), or you could use some other websites selling the methodology. All this should take considerably less time and money than buying a risk assessment tool and learning how to use it.

A good methodology should contain a method for identifying assets, threats and vulnerabilities, tables for marking the likelihood and impacts, a method for calculating the risk, and define the acceptable level of risk. Catalogues should contain at least 30 vulnerabilities and 30 threats; some contain even a few hundred of each, but that is probably too much for a small company.

The process is really not complicated – here are the basic steps for assessment & treatment:

1. define and document the methodology (including the catalogues), distribute it to all asset owners in the organization
2. organize interviews with all the asset owners during which they should identify their assets, and related vulnerabilities and threats; in the second step ask them to evaluate the likelihood and impact if particular risks should occur
3. consolidate the data in a single spreadsheet, calculate the risks and indicate which risks are not acceptable
4. for each risk that is not acceptable, choose one or more controls from Annex A of ISO 27001 – calculate what the new level of risk would be after those controls are implemented

To conclude: risk assessment and treatment really are the foundation of information security / ISO 27001, but it does not mean they have to be complicated. You can do it in a simple way, and your common sense is what really counts.

You can also check out our video tutorial How to Implement Risk Assessment According to ISO 27001 (commercially sold video).