6 Basic steps in ISO 27001 Risk Assessment and Treatment
ISO 27001 Certification
is a particularization for an Information Security Management System (ISMS). It is a part of the overall management
system, based on a business risk approach, to establish, implement, operate,
monitor, review, maintain and improve information security. The management
system includes organizational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources.
Risk
Assessment it is the major and important part at the beginning of Information
Security Management System. It is the overall process of risk identification,
risk analysis and risk evaluation. Risk analysis is the process to understand
the nature of risk and to determine the level of risk. Risk analysis provides
the basis for risk evaluation and decisions about risk treatment and includes
risk estimation.
The
organization’s risk assessor will recognize the risks and hazards that an
organization is facing and leads a risk assessment. The risk assessment is asset
based, in accordance with which risks are assessed in regard to the
organization’s information assets. It will be conducted over the whole
organization.
Some
of the companies have issues when they perform risk management incorrectly by
executing the process differently in each department or part of the
organization. Due to this, many organizations have problems in achieving risk
assessment in implementation phase. Now the question
arises that How to assess the risks and How to treat them, in accordance with
ISO 27001. These Questions can be answered by the following 6 important steps
1.
Describing the Risk Assessment methodology:
The
first step in risk assessmentis to define your rules in identifying the
organizations risks and hazards, in orderto opt the correct way in which you
will perform the risk assessment. A formal risk assessment methodology needs to
address 4 issues and that should be approved by the top management.
·
Baseline Security Criteria
·
Risk scale
·
Risk appetite
·
Scenario or Asset based risk management
2.
Implementation of Risk Assessment:
After defining the rules for the assessment, you
need to identify the potential problems. You need to start listing all the risk
types; simultaneously you need to list all the threats and vulnerabilities
linked to those assets. Meanwhile, calculate the level of risk.You need to
define whether you want the risk management to be qualitative or quantitative
and what the level of acceptance for a particular risk type should be.
3. Risk
Treatment Implementation:
Risk treatment
is the process to modify the risk.
Risk treatment
can involve:
• Avoiding the risk by deciding not to
start or continue with the activity that gives rise to the risk;
• Taking or increasing risk in order to
pursue an opportunity
• Removing the risk source
• Changing the likelihood
• Changing the consequences
• Sharing the risk with another party
or parties (including contracts and risk financing)
• Retaining the risk by informed
choice.
Risk treatments
that deal with negative consequences are sometimes referred to as “Risk mitigation-Accepting the risk”, “Risk elimination-Avoiding the risk by
stopping to do a risky activity”, “Risk
prevention-Apply security control to decrease the risk” and “Risk reduction-Transfer the risk to
third party ”.
Risk treatment
can create new risks or modify existing risks.
4. ISMS
Risk assessment report:
Risk assessment
report includes in documenting everything that you have done so far. This
document would be useful for the auditors and to check your results in future.
5. Statement
of Applicability:
ISO 27001 certification requires the
organization to produce set of reports for the audit and certification
purposes. Most important is the Statement of Applicability (SoA) and the Risk
Treatment Plan (RTP).
Statement of
applicability shows the security of the company profile. Based on the result of
the risk treatment you need to record all the controls that you have
implemented, how you implemented and why you have implemented. This may be
helpful for the certification auditors.
6.
Risk Treatment Plan:
The purpose of Risk treatment plan is to define
exactly who will implement each control, at what will be timeframe used, with
what budget etc, you need to document it. After this documentation you need to
get the management's approvalwith respect to the whole process. The procedure
of implementation will take some time, effort, and money and as we know the
managements team approval is crucial because you can’t conduct any process
without their help and effort.
To conclude Risk Assessment and Treatment is one of
the most important steps in securing the organizations system by identifying
the threats and resolving them.
Kwikcert is one of the best ISO certification consultants in Saudi Arabia,
UAE, Oman, Kuwait, Qatar, and Bahrain for more details contact us at www.kwikcert.com
or kwikcert@gmail.com
If you ever want to take some of the load off, I’d like to write some material for your blog in exchange for a link back to mine. Please shoot me an email if interested. Thanks.
ReplyDeletesafety course in chennai
I’m experiencing some small security issues with my latest blog, and I’d like to find something safer. Do you have any suggestions?
ReplyDeleteindustrial safety course in chennai
The young boys ended up stimulated to read through them and now have unquestionably been having fun with these things.
ReplyDeletenebosh igc course in chennai
Is iso 9001 certification not safe to risk assessment.
ReplyDeleteImpressive Thanks for the post. Interesting stuff to read. Keep it up.
ReplyDeleteISO Certifying Body in the Hong Kong
ReplyDeleteiso 27001 certification italy
You have posted a trust worthy blog keep sharing.
ReplyDeleteiso 27001 certification
super blog
ReplyDeleteiso 27001 certification
Thanks for the valuable information. Are you looking for a one-stop solution to your Information/Cybersecurity needs? IARM, one of the few companies to focus exclusively on End-End Information/Cybersecurity solutions and services providers to organizations across all verticals. Cybersecurity Audit Services
ReplyDeleteISO 27001 Implementation and Consulting Company in Chennai
ISO27001 Compliance Audit Service in Bangalore
Good day. I was impressed with your article. Keep it up . You can also visit my site if you have time. Thank you and Bless you always.
ReplyDeleteiso certifying body in the hong kong
This is so informative article about risk management and its treatment. Thanks for sharing such well-researched content and excellent wording.
ReplyDeleteGreat blog to read ! very informative for me as i am also doing my PGDM course in risk management and this info will be surely useful for me in my future career keep sharing.
ReplyDeleteUseful blog.
ReplyDeletecertification fda
nice post.
ReplyDeletecorso iso 27001