ISO 27001 and risk management. I really like the fact, that ISO 27001 is based on risk assessment, and I guess I am not the only one, since the next version of ISO 9001 will also introduce risk management to replace preventive action, and there will be a focus on risk identification and mitigation (see the new ISO 9001:2015 edition).
ISO27001 International Standard specifies the requirements for establishing, implementing, maintaining and continually improving information security processes and controls systematically and consistently within the context of the organisation’s overall business risks. (see ISO)
This is, why ISO 27001 is so relevant to ALL organisations and businesses, that have information to protect. It is not a standard, that from the outset describes, what you need to protect, and how you should protect it, but a standard that asks you to first identify your valuable assets, seen in the context of the organisation and interested parties. Then make a judgement about the risk to that asset, followed by a risk treatment plan.
In terms of choosing a risk management process again ISO 27001 is not prescriptive but simply require that:
You settle on a process (ISO 27005:2011 gives a lot of guidance, see figure 1) that you can repeat and that would produce comparable results
You determine what you risk appetite is
You identify risk owners
You define and apply an information security risk treatment plan
Once a risk has been assessed, the next step in the risk management process is to identify what, if any, risk treatment action to take appropriate for each of the risks, that have been identified in the risk assessment. In short you have 4 options:
Avoid (Disabling USB ports is an example)
Reduce (A firewall is an example)
Transfer (Outsourcing or buying insurance is an example)
Accept (Allowing staff to use the internet is an example)
There are plenty of tools and software solutions available to help you do risk management. I like to keep it simple and use a spreadsheet, where you list the asset, you are reviewing, you describe the risk and impact to the business, you score likelihood and severity (between 1 and 5), which are multiplied to give you an overall score, and finally you define the mitigating action and you re-score.
Contact us at firstname.lastname@example.org if you would like assistance with your risk management or ISO 27001 project.