6 Basic steps in ISO 27001 Risk Assessment and Treatment


ISO 27001 Certification is a particularization for an Information Security Management System (ISMS). It is a part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

ISO 27001 certification cost in saudi arabia

Risk Assessment it is the major and important part at the beginning of Information Security Management System. It is the overall process of risk identification, risk analysis and risk evaluation. Risk analysis is the process to understand the nature of risk and to determine the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment and includes risk estimation.
The organization’s risk assessor will recognize the risks and hazards that an organization is facing and leads a risk assessment. The risk assessment is asset based, in accordance with which risks are assessed in regard to the organization’s information assets. It will be conducted over the whole organization.
Some of the companies have issues when they perform risk management incorrectly by executing the process differently in each department or part of the organization. Due to this, many organizations have problems in achieving risk assessment in implementation phase. Now the question arises that How to assess the risks and How to treat them, in accordance with ISO 27001. These Questions can be answered by the following 6 important steps

            1.      Describing the Risk Assessment methodology:
The first step in risk assessmentis to define your rules in identifying the organizations risks and hazards, in orderto opt the correct way in which you will perform the risk assessment. A formal risk assessment methodology needs to address 4 issues and that should be approved by the top management.
·         Baseline Security Criteria
·         Risk scale
·         Risk appetite
·         Scenario or Asset based risk management
2.      Implementation of Risk Assessment:
After defining the rules for the assessment, you need to identify the potential problems. You need to start listing all the risk types; simultaneously you need to list all the threats and vulnerabilities linked to those assets. Meanwhile, calculate the level of risk.You need to define whether you want the risk management to be qualitative or quantitative and what the level of acceptance for a particular risk type should be.
            3.      Risk Treatment Implementation:
Risk treatment is the process to modify the risk.
Risk treatment can involve:
           Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
           Taking or increasing risk in order to pursue an opportunity
           Removing the risk source
           Changing the likelihood
           Changing the consequences
           Sharing the risk with another party or parties (including contracts and risk financing)
           Retaining the risk by informed choice.
Risk treatments that deal with negative consequences are sometimes referred to as “Risk mitigation-Accepting the risk”, “Risk elimination-Avoiding the risk by stopping to do a risky activity”, “Risk prevention-Apply security control to decrease the risk” and “Risk reduction-Transfer the risk to third party ”.
Risk treatment can create new risks or modify existing risks.
             4.      ISMS Risk assessment report:
Risk assessment report includes in documenting everything that you have done so far. This document would be useful for the auditors and to check your results in future.
             5.      Statement of Applicability:
ISO 27001 certification requires the organization to produce set of reports for the audit and certification purposes. Most important is the Statement of Applicability (SoA) and the Risk Treatment Plan (RTP).
Statement of applicability shows the security of the company profile. Based on the result of the risk treatment you need to record all the controls that you have implemented, how you implemented and why you have implemented. This may be helpful for the certification auditors.
             6.      Risk Treatment Plan:
The purpose of Risk treatment plan is to define exactly who will implement each control, at what will be timeframe used, with what budget etc, you need to document it. After this documentation you need to get the management's approvalwith respect to the whole process. The procedure of implementation will take some time, effort, and money and as we know the managements team approval is crucial because you can’t conduct any process without their help and effort.
To conclude Risk Assessment and Treatment is one of the most important steps in securing the organizations system by identifying the threats and resolving them.
Kwikcert is one of the best ISO certification consultants in Saudi Arabia, UAE, Oman, Kuwait, Qatar, and Bahrain for more details contact us at www.kwikcert.com or kwikcert@gmail.com

Comments

  1. sunshineprofeNovember 30, 2018 at 10:17 PM

    If you ever want to take some of the load off, I’d like to write some material for your blog in exchange for a link back to mine. Please shoot me an email if interested. Thanks.
    safety course in chennai

    ReplyDelete
  2. SwethagauriDecember 11, 2018 at 10:06 PM

    I’m experiencing some small security issues with my latest blog, and I’d like to find something safer. Do you have any suggestions?
    industrial safety course in chennai

    ReplyDelete
  3. gowthunanDecember 14, 2018 at 2:55 AM

    The young boys ended up stimulated to read through them and now have unquestionably been having fun with these things.
    nebosh igc course in chennai

    ReplyDelete
  4. Muskaan KhanaaDecember 15, 2018 at 9:53 AM

    Is iso 9001 certification not safe to risk assessment.

    ReplyDelete
  5. Arya RishiJanuary 2, 2021 at 11:20 AM

    Impressive Thanks for the post. Interesting stuff to read. Keep it up.

    ISO Certifying Body in the Hong Kong

    ReplyDelete
  6. AnonymousFebruary 3, 2021 at 9:48 PM


    iso 27001 certification italy

    You have posted a trust worthy blog keep sharing.

    ReplyDelete
  7. AnonymousFebruary 12, 2021 at 1:59 AM


    iso 27001 certification

    super blog

    ReplyDelete
  8. AnonymousFebruary 25, 2021 at 9:14 PM


    iso 27001 certification

    ReplyDelete
  9. PriyaMarch 1, 2021 at 11:18 PM

    Thanks for the valuable information. Are you looking for a one-stop solution to your Information/Cybersecurity needs? IARM, one of the few companies to focus exclusively on End-End Information/Cybersecurity solutions and services providers to organizations across all verticals. Cybersecurity Audit Services
    ISO 27001 Implementation and Consulting Company in Chennai
    ISO27001 Compliance Audit Service in Bangalore

    ReplyDelete
  10. Shikha KumariMarch 26, 2021 at 5:14 PM

    Good day. I was impressed with your article. Keep it up . You can also visit my site if you have time. Thank you and Bless you always.
    iso certifying body in the hong kong

    ReplyDelete
  11. UnknownJuly 29, 2021 at 11:03 PM

    This is so informative article about risk management and its treatment. Thanks for sharing such well-researched content and excellent wording.

    ReplyDelete
  12. Rita DevNovember 23, 2021 at 11:28 PM

    Great blog to read ! very informative for me as i am also doing my PGDM course in risk management and this info will be surely useful for me in my future career keep sharing.

    ReplyDelete
  13. KanishkaJanuary 27, 2022 at 4:01 AM

    Useful blog.
    certification fda

    ReplyDelete
  14. noahFebruary 9, 2022 at 10:16 PM

    nice post.
    corso iso 27001

    ReplyDelete

Post a Comment

Popular posts from this blog

Security Clauses to use for Supplier agreements

Image
ISO 27001 Certification not only helps in protecting a business, but it also sends a clear signal to customers, suppliers, and the marketplace that your organization has the ability to handle information securely. It helps one protect information such as financial data, intellectual property or sensitive customer information,  identify risks and puts in place security measures that are right for a business, so that one can manage or reduce risks. It helps you to continually review and refine the way to do this, not only for today but also for the future. International Standards were drafted in accordance with the rules given in the ISO Directives. The joint technical committee prepares International Standards.  So a revised version was drafted and adopted in 2013, which is presently the globally accepted ISO 27001 standards . Taking into consideration the intricate aspects of information security – The standard clarifies the prescribed activities expected to be carried out under
Read more