iso27001.md

ISO 27001

Risk Assessment

• 5 steps to an effective ISO 27001 risk assessment

  • An ISO 27001 risk assessment helps organisations identify, analyse and evaluate weaknesses in their information security processes.

    Do you want to know how to get your ISO 27001 risk assessment process right? In this blog, we take a look at five things you can do to get started.

  1. Establish a risk management framework

  • One of the key elements is having CONDITIONS for performing a risk assessment – e.g. annually and whenever there is a SIGNIFICANT CHANGE. 

    This includes how you will identify risks; who you assign RISK OWNERSHIP to; how the risks affect the confidentiality, integrity and availability of the information; and the method of calculating the ESTIMATED DAMAGE of each SCENARIO and the LIKELIHOOD of it occurring. 

  • A formal risk assessment methodology needs to address several issues: 

    • Your organisation’s core security requirements 

    • Risk scale 

    • Risk appetite

      下面解釋到 "predetermined levels of acceptable risk"，也就是能接受的風險為何。

    • Methodology: scenario- or asset-based risk assessment

      下面提到 information asset，而 asset-based 是比較推的。

  2. Identify risks

  • Identifying the risks that can affect the confidentiality, integrity and availability of information is the most time-consuming part of the risk assessment process. 

    We recommend following an asset-based approach. Developing a list of INFORMATION ASSETS is a good place to start, but if your organisation has an existing list, most of the work will already be done.

  3. Analyse risks 

  • You must identify the THREATS and VULNERABILITIES that apply to each asset. 

    For example, if the threat is ‘theft of mobile device’, the vulnerability might be ‘a lack of formal policy for mobile devices’. 

    原來 threat 與 vulnerability 不太一樣。

  4. Evaluate risks

  • Now it’s time to assess how SIGNIFICANT each risk is. It’s WASTEFUL to implement measures in response to every risk you face, so you should use a risk assessment matrix to help you identify which risks are worth treating and prioritise them. 

  • Most risk assessment matrices look like this, with one axis representing the PROBABILITY of a risk SCENARIO occurring and the other representing the DAMAGE IT WILL CAUSE. In the middle, you have scores based on their combined totals.

    

  • You should use the matrix to score each risk and weigh the totals against your PREDETERMINED LEVELS OF ACCEPTABLE RISK (i.e. your RISK APPETITE). The scores will determine how you address the risk, which is the final step in the process.

  5. Select risk treatment options

  • There are several ways you can treat a risk:

    • Avoid the risk by ELIMINATING IT ENTIRELY
    • MODIFY the risk by applying SECURITY CONTROLS
    • SHARE the risk with a third party (through insurance or by outsourcing it)
    • RETAIN the risk (if the risk falls within established RISK ACCEPTANCE CRITERIA)

    The method you choose will depend on your circumstances. Avoiding the risk is obviously the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible.

  • For example, many risks are introduced into an organisation by HUMAN ERROR, and you WON’T OFTEN BE ABLE TO remove the human element from the equation.

    You’ll therefore be required to MODIFY most risks. This involves selecting the relevant controls, which are outlined in Annex A of ISO 27001.

    無法完全排除，就要加以控制。