Last Updated on September 7, 2019
This short post is the third in a series that explains in straightforward terms the process we follow to build an ISO 27001 certifiable Information Security Management System (ISMS). You can access our entire proven process here.
We hope you find these bite-sized posts useful for understanding how ISO 27001 certification is achieved, and what it could look like for your organization. You may want to read them in order, starting with Step 1. Enjoy!
A key element in any information security plan is the risk associated with your information assets, and whether that risk is reduced to a level you are comfortable with. This process is often referred to as risk assessment. It has two components: risk identification and risk analysis.
By the time you go through Steps 1 and 2 to get to this point, you will have already identified a number of risks, even though this wasn’t your explicit intent. In this Step 3, your initial focus should be on identifying all the additional risks to your organization’s information assets. This is the risk identification part of the activity.
“To do a risk assessment, you need to consider the likelihood of a risk being realized… along with the impact that risk realization would have on your organization.”
Once you have a firm understanding of all the risks, you can then assess and document which risks are currently being managed effectively by information security controls that are already in place, and which are not yet effectively managed. This is the risk analysis part of the activity.
To do a risk assessment, you need to consider the likelihood of a risk being realized, taking into account the information security controls now in place, along with the impact that risk realization would have on your organization. For example, some risks might be unlikely but potentially catastrophic (e.g., exfiltration of your customer database by a competitor). Others might be both likely and damaging (e.g., a ransomware attack if proper controls aren’t in place). Others might be likely but not particularly dangerous (e.g., a reconnaissance/probing attack that your firewall repels).
In a nutshell, risk assessment is the process of identifying the universe of risks to your information assets, and then determining if/which of those risks necessitate improvements to your information security program.
Have questions about ISO 27001 certification or the best way to achieve your information security goals? Contact Pivot Point Security—we specialize in advising organizations on how to manage information security risk.
Access All ISO 27001 Proven Process Step Posts Here:
- Understand Your Scope
- Understand your InfoSec Controls
- Identify and Analyze Information Related Risk
- Build a Risk Treatment Plan
- Execute the Risk Treatment Plan
- Conduct an Internal Audit
- Certify Your ISMS
- Maintenance, Continuous Improvement and Recertification
Also, here is our ISO 27001 Proven Process PDF