Checklist: A technique in which a list of items is created to ensure that the most common topics as well as critical topics related to the topic are not overlooked in the identification of risks (e.g., common errors in software development or contractually prescribed protective measures). This increases the consistency and completeness of risk identification. Its use is recommended in cases where historical information, market references and knowledge of past situations are widely used. That is, in this case, the organization has an annual risk of incurring a loss of $250,000 if its database is lost. Therefore, any control implemented (e.g., backup, patch management, etc.) that costs less than this value would be cost-effective. Companies must also “keep documented information about the information security risk assessment process” so that they can demonstrate that they meet these requirements and ensure that the process is followed consistently and correctly. So I would say that one of the main differences is mindset: risk assessment is about thinking about (potential) things that might happen in the future, while internal audit is about how things have been done in the past. Risk management consists of two main elements: risk assessment (often referred to as risk analysis) and risk treatment. ISO 27001 also breaks down this risk management requirement in depth. In addition, there are other risk-based standards, such as ISO 31000, from which the ISO 27001 risk planning principles originate. For example, if you found a level 4 consequence and a level 5 probability in your risk assessment (which would mean a risk of 9 with the addition method), your residual risk may be 5 if you determine that the consequence would decrease to 3 and the probability to 2, for example, because of the safeguards you wanted to implement.

Most people think that risk assessment is the most difficult part of implementing ISO 27001 – yes, risk assessment is probably the most complex, but risk treatment is certainly the most strategic and costly. In any case, you should not start assessing risks until you have adapted the methodology to your specific situation and needs. Here are some tips on how to make risk management easier for small businesses to manage: Conclusion: Risk assessment and treatment are really the fundamentals of information security/ISO 27001, but that doesn`t mean they have to be complicated. You can do it the simple way, and your common sense is what really matters. An indirect change, which is not visible during the first reading of the standard, is that risk management has taken over from preventive measures (preventive measures no longer exist in the 2013 revision) – this only becomes clear when one reads section 6.1.1 of ISO 27001:2013 in more detail. But this change makes sense – preventive measures are nothing more than shutting down what might happen negatively in the future and taking steps to prevent them – and that`s exactly what risk assessment and treatment is all about. Therefore, ISO 27001:2013 only corrected what was not very logical in ISO 27001:2005, and the good thing is that you do not have to change your risk assessment process because of that. So the fact is, you shouldn`t assess risks with a sheet you`ve downloaded somewhere on the internet – that sheet may use a methodology that`s completely inappropriate for your business. You should not start by using the methodology prescribed by the risk assessment tool you have purchased. Instead, you should choose the risk assessment tool that fits your methodology. (Or you decide you don`t need a tool at all and can do it with simple Excel spreadsheets.) If you choose the latter, you`ll identify the top risks and get your employees thinking about the need to protect company information. And you always have the option to add the other risks later, once you`ve completed your initial implementation.

This is what ISO 27001 requires of you anyway, as part of continuous improvement. In my experience, employees (and the organization as a whole) are usually only aware of 25-40% of risks – so it is not possible to memorize all risks, and this identification must be done systematically. Since it has little mathematical dependence (risk can be calculated by a simple sum, multiplication or other form of non-mathematical combination of probability and consequence values), qualitative risk assessment is quick and easy to perform. In this free guide, you will learn how to determine the optimal risk scale so that you can determine the impact and likelihood of risks. Risk identification. The revision of ISO 27001 in 2005 prescribed the identification methodology: resources, threats and vulnerabilities had to be identified. The current revision of ISO 27001 of 2013 does not require such identification, which means that you can identify risks according to your processes, according to your departments, only with threats and not with vulnerabilities or any other methodology you want. However, my personal preference is still the good old active-threat-vulnerability method. (See also this list of threats and vulnerabilities.) This means clearly describing the approach taken and creating a risk methodology – we`ve written more about this here.

But this is where things could get complicated – my client had a different question because he wanted everything clarified: “I think there is another difference between these two approaches to risk assessment – with ISMS, we deal with assets (primary and support); With BCM, however, we take care of critical activities and processes. Before you begin your implementation process, you should be aware of the unacceptable risks associated with risk assessment, but also of your available budget for the current year, as controls sometimes require investment. To ensure you are properly managing risks, you should carefully follow each subsection of ISO 27001. You will also learn how to systematically identify, assess and analyse risks and better understand your basic security criteria. However, if you want to use a different approach that can make the most of the situation and the information available, your organization may want to consider other approaches to identify risks and evolve your risk assessment. Any risk in the company leads to uncertainty. A company`s approach to risk is determined by its risk appetite. Regardless, a standardized approach can be a valuable process-based method that eliminates some or all of the uncertainties.

Once you know the rules, you can know what potential problems might happen to you – you need to list all your assets, then assess the threats and vulnerabilities related to those assets, assess the impact and likelihood of each combination of assets/threats/vulnerabilities, and finally calculate the level of risk. Specifically, business impact analysis, maximum acceptable downtime/recovery objective, data loss/recovery point objective, required resources, and other critical information to help you develop the business continuity strategy for each of your businesses. To learn more, click here: How to implement Business Impact Assessment (BIA) in accordance with ISO 22301. With vsRisk, you don`t need to spend time developing a risk-based assessment methodology or expensive trial and error: you can start evaluating right away. The number of risks must therefore depend roughly on the number of employees in your company: assessment of consequences and probability. You must assess the consequences and likelihood of each of your risks separately; You are completely free to use the scales you like – for example. Low-medium-high or 1 to 5 or 1 to 10 – whichever suits you best. Of course, if you want to make it easier for yourself, go for a low-medium level. NOTE The supported resources, threats, and vulnerabilities approach is consistent with the approach to identifying security risks through ISO/IEC 27001 and complies with the requirements of ISO/IEC 27001 to ensure that previous investments in risk identification are not lost. It is not recommended to be too detailed in the identification of risks during the first cycle of risk assessment.

Having a high-level but clear picture of knowledge security risks is much better than not having an image at all. Risks can be identified in several ways. A possibility identifies previous situations that threatened a project. A risk can also be an opportunity. In all cases, an important factor is proximity, which identifies the date on which a risk can take effect. All risks are defined as “uncertainties of outcome”, whether threats or opportunities. Assent`s ISO 27001 consultants can help you develop a risk management methodology tailored to your business and incorporating the recognized principles of ISO 31000. Typically, ISO 27001 risk assessment only gives you a headache when you do it for the first time, which means that risk assessment doesn`t have to be difficult once you know how it`s done.