Template and example for risk analysis according to ISO 27001
The ISO 27001 standard requires organizations to conduct a risk analysis. This should be part of regular risk management. To survive an ISO 27001 certification audit, companies must be able to demonstrate that their risk management methodology is systematically carried out and documented. To be effective, you need to carry out various risk analyzes. The aim and purpose of risk management must be transparently defined. You can use BSI Standard 200-3 to learn various risk analysis methods. Another option for risk assessment is to apply the principles and guidelines from ISO 31000. However, data-intensive business models should rely on ISO 27005 due to their special digital characteristics. By aligning ISO 27001 and ISO 31000, you can achieve an integration of information risk management into corporate risk management. So where do you have to start?
How do you carry out a risk analysis?
It’s best to make a list of possible threats. They consider who would benefit from causing damage to their organizations. You shouldn’t limit yourself to hackers, thieves and employees in debt due to gambling addiction. In the next step, consider whether these groups also have the opportunity to carry out such damage in terms of personnel and technology. Although some sources of danger would have a financial advantage from the theft of their customer list, they would not be technically able to switch off their security precautions from outside. Some potential groups of perpetrators have the expertise but have no interest in their values because they do not fit into their strategic orientation (prey pattern).
Identification of vulnerabilities
In order to identify vulnerabilities in a targeted manner, you must carry out an ISMS risk analysis. But what is a vulnerability covered by ISO 27001? A vulnerability is a problem area in a business process, product IT system or control procedure. If the risk analysis shows that a product can develop a vulnerability, you have to consider how this could arise. By embedding a philosophy of secure software development within the organization, you reduce the risk of compromised software in your products.
How do I identify these vulnerabilities in my organization in accordance with ISO 27001? The first step is to use a mind map. To do this, exchange ideas with colleagues and other departments in your organization. To do this, it makes sense to have targeted conversations in order to identify problem areas that may be unknown to you personally. This creates an ever-growing list of potential dangers and vulnerabilities that can be linked to relationship lines. This makes the dependency of individual points clearer. Some hazards can trigger other hazards. The snowball effect increases the damage to the entire organization. Therefore, vulnerabilities should never be viewed as absolutely isolated. Hackers can manipulate the source code (firmware) that is later delivered in devices. These devices malfunction and cause significant insurance damage.
Check existing protective measures
It is not enough to formulate security measures in the ISMS and communicate them to the organization. People tend to forget instructions and rules. Consequently, they must check the effectiveness of the existing protective measures. Sometimes well-thought-out protective measures are dutifully implemented by the workforce, which in reality only represent a placebo effect for the risk. This allows the danger to harm the organization and its values unhindered. In addition, some protective measures can be unnecessarily more expensive than the damage to be prevented. Therefore, you must always consider whether the risk can be minimized technically and organizationally at a justifiable economic cost. Sometimes they have no choice but to accept the risk or outsource it to an insurance company (or specialized service provider).
Classification using a risk matrix
The use of a risk matrix has proven successful in many organizations. When our experts act as ISO 27001 auditors on behalf of various British and European certification bodies (e.g. BSI, SGS), we see different ways of applying a risk matrix. This involves visualizing the probability of a risk occurring and the associated consequences (effects).
Assessment of the probability of occurrence
The expected probability of a danger must be assessed by the “owner of an asset” (e.g. head of software development). How likely is it that a given event will occur in a given period of time? To answer this question, you must examine the source of danger with its motivation and performance from a 360° perspective. Also discuss with colleagues in the affected team how this type of threat could occur. Question the existence and effectiveness of the existing measures.
Determination and analysis of impacts
In order for a risk matrix to be of any benefit to the organization, you must determine the level of risk. Evaluate the negative consequences of the damaging events. Take into account existing vulnerabilities and possible unknown vulnerabilities. The expected damage can threaten the existence of your organization.
How do I reduce the risk of exposure?
Define appropriate security measures to mitigate the identified risks. Risk measures serve to reduce, avoid, share or accept risks. To do this, divide measures into cause-related and effect-related measures. This makes it easier for you to create future lists of measures and checklists.
Cause-related measures
Cause-related measures serve to reduce the probability of occurrence and reduce the number of damaging events.
Impact-related measures
You should use impact measures to minimize the extent of possible negative impacts of events.
How do I deal with the identified risks?
For each risk identified and prioritized during the ISMS risk analysis, determine which measures you want to use to treat the risks. Where necessary, describe what this risk treatment should look like. Consider the expected costs for implementing the decided measure based on the risk assessment. Set the costs and effectiveness of the measure against the realistic benefits for the organization. Top management (or senior management) must consider the risks in risk groups. This allows you in management to separately consider risks with a low probability of occurrence but a high degree of severity.
If the implementation of a measure cannot be justified from an economic point of view, one must consider how this danger can be dealt with differently. If you have serious intentions of obtaining an ISO 27001 certificate, you must have a documented plan in place at your company! In this implementation plan, determine the prioritized order and time frame for implementing the measures. You should prioritize actions based on the prioritization of risks. Don’t forget to consider your cost-benefit analysis.
Step by step to risk analysis
Follow the 6 steps given here to carry out an effective risk analysis:
1. ISO 27001 risk assessment methodology
2. Risk assessment implementation
3. Risk treatment implementation
4. ISMS risk assessment report
5. Statement of Applicability
6. Risk treatment plan
Who is is severly at risk and needs ISO 27001?
Businesses providing important infrastructure for the population are highly at risk of being the victims of criminal and state driven attacks. Not only companies developing military equipment are at risk from state sponsored sabotage and exspionage. Even british universites are being targeted by foreign agencies, in order to steal research and identify vulnerable individuals. For universities it is not just about students or teaching staff who originated from opressed countries. The national security of a country depends on its bravest but also on its most intelligent citizens who might in future help protect the country’s freedom.
These are currently the types of businesses most at risk:
- Universities (private & state run)
- Research institutes
- defence contractors
- IT companies
- ISP and SaaS businesses
- Webhosters and Agencies
- Marketing agencies and Internet agencies
- Recruiters and temporary staff agencies
- Software companies
- unitilities (Waterworks, electricity companies, gas operators)
- Transport services (TfL, Train services, bus services, ferries)
- Police and council administrations
- schools and education providers
- social media platforms
- banks and VC firms
- and many others