ISO27001 and Risk Management

Risk management is a key component of ISO27001, covered under requirements 6 and 8 and featured in the ANNEX A controls. Risk forms the basis of ANNEX A controls decisions, and the ANNEX A controls form should be reviewed for alignment with risk treatment decisions.

Understanding ISO27001 Standards

I suppose we should introduce the ISO27001 standard.

ISO27001 is a globally recognised international standard for managing information security. It provides a framework for implementing and maintaining an effective Information Security Management System (ISMS) designed to protect an organisation's information assets' confidentiality, integrity, and availability.

If you want to know more, check out our "What is ISO27001" article.

Incorporating Risk Management within ISO27001

Risk management is fundamental to ISO27001, and you have the following expectations from the standard's requirements

• Actions to address risks and opportunities
• Risk Identification
• Risk Assessment
• Including recurring assessments and documented evidence
• Risk Treatment
• Implementation of the treatment and again documented evidence

Risk is also mentioned in controls within ANNEX A when assessing Supplier Relationships, including the ICT supply chain, as well as screening employees.

Risk Management Methodologies

The concepts of risk management in ISO 27001 are aligned with the ISO 31000 standard which is a general risk management guidelines document, this is a relatively simple standard and a good method to follow with ISO27001, although I would generally recommend adopting ISO 27005 which is focused on information security risk management which is fundamentally the focus of ISO 27001. It also has a more expectations in the risk assessment process.

A bit of a blend is probably best for most businesses. A process that meets your needs still needs to be defined.

Key Components of ISO27001 Risk Management

Here, I will cover some of the key components of risk management for ISO 27001, but if you want a deeper understanding, read our "What is Risk Management" article.

• Criteria for accepting risks – Some risks you will just accept and move on, usually if they score low, but defining that means you get consistent treatment decisions.
• Document the risks in a risk register – this could be as simple as writing a description of the risk.
• Define the potential impact and likelihood—what impact could occur, give it a value, and how likely it is, again, give it a value and multiply this to give you a risk score.
• Document what you are going to do, if anything. You will define standard responses to risk and identify the controls from the ANNEX that are relevant to the treatment.
• Finally assign an owner – this is someone who can take responsibility, in a small company this may be the same person for all.

‍

‍