In order to achieve ISO 27001 certification an organization needs to meet the requirements detailed in the information security standard. Whether or not your organization has done so is determined by a certification audit, carried out by an accredited auditor. (The same certification process is followed for all management system standards)
For those new to the field, some of the most difficult requirements to handle are those related to risk management. This is because risk management is not something most businesses (particularly SMEs) do by default.
For example, requirements surrounding Human Resources (A.7) or Supplier Management (A.15) will be familiar to HR or Procurement professionals.
The same is not true for risk management. Most businesses will not have an in-house risk expert or project manager. Those that do are likely to operate in more specialist industries. Those that require risk management day to day (e.g in the data protection field).
The issue can be further complicated by the rather specific definition of risk in ISO 27001. It is not some all encompassing, ill defined potential harm. But rather, as defined in ISO/IEC 27000, “risk” is the “effect of uncertainty on objectives”.
But though the requirements can seem formidable at first glance, broken down, they become easier to understand. This article will provide you with an overview of the process and highlight how risk management can help your business.
What are the requirements?
The risk management requirements in ISO 27001 are found in Clause 6 (Planning) and Clause 8 (Operation).
Clause 6 contains the ‘bulk’ of the risk management requirements that organizations looking to implement ISO 27001 must follow. Specifically, across sub-clause 6.1, the standard sets out in detail the overarching risk assessment and treatment process.
6.1.1 opens with general requirements for the information security management system (ISMS) itself. These include making sure the ISMS can achieve its intended outcome(s) and achieve continual improvement.
Then it moves to the first risk management requirements. They are general, requiring that organizations plan:
- actions to address risks and opportunities.
6.1.2 is concerned with the initial risk assessment. That is, the steps you must follow to determine the risk your organization faces. It mandates that organizations must define and apply an information security risk assessment process that:
- establish and maintain risk assessment criteria.
- ensure that all information security risk assessments produce consistent, valid and comparable results.
- identifies information security risks
- analyzes information security risks, and;
- evaluates the information security risks
6.1.3 then follows with the requirements of an information security risk treatment process. These are the steps you must follow in order to mitigate or reduce the risk your organization faces. It says that your organization must define and apply an information security risk treatment process to:
- select appropriate information security risk treatment options
- determine all information security controls that are necessary to implement the information security risk treatment option(s) chosen
- compare the controls chosen (above) with those in Annex A and verify that no necessary controls have been omitted
- produce a Statement of Applicability, and;
- create an information security risk treatment plan.
In comparison to 6.1, the requirements of Clause 8 are relatively brief. While Clause 6 sets out the risk assessment and treatment process, Clause 8 requires that organizations actually follow these processes.
8.2 states that they must perform risk assessments at planned intervals, or when significant changes are proposed or occur. While 8.3 mandates that organizations must implement the information security risk treatment plan.
In both instances, organizations must retain documented information of the results of the risk assessment(s) and risk treatment plan(s).
How can I implement the requirements?
As mentioned before, implementing a risk assessment and risk treatment process is no easy task. This is particularly true at organizations without a pre-existing risk management culture.
To resolve that, it helps to break the requirements down clause by clause.
The focus of clause 6.1.1 is on the “planning of actions to address all types of risks and opportunities that are relevant to the ISMS”. That is according to ISO 27003, which provides guidance on how to implement an ISMS (Clauses 4-10).
In other words, 6.1.1 is about addressing risk throughout your management system. And adopting a risk led approach to everything you do. You need to plan as to how you will handle “risk” and make the best of any “opportunities”.
The last part is important. Risk management is not a purely negative exercise, looking only for potential risks. It is also an exercise to help you uncover opportunities.
For instance, your risk assessment may reveal an inefficient business process which is costing your organization money. Fixing the issue could help free up resources to be deployed elsewhere.
6.1.2 and 6.1.3 then get to the specifics of how to assess and thereafter manage risk. In layman’s terms, the three stages of the risk assessment process covered in 6.1.2 can be understood as follows:
- Identify – What risks (that could impact my objectives) does my organization face? This can be done in a variety of ways. For example, by considering the risks faced by your information assets.
- Analyze – What is the level of risk? At this point, you need to measure the level of risk you face. You can do this quantitatively, qualitatively or use a blend of the two.
- Evaluate – What should I do about the risk? Now that you have measured the level of risk you face, you need to make a decision about what to do. For example, does the risk pose a critical threat to your organization?
The process outlined in 6.1.3 kicks in once you have decided to remedy the issues raised (and quantified) by your risk assessment. Your risk treatment actions can be understood as a sort of contingency plan. And a key part of your overall risk management plan.
They are the measures you are putting in place to help mitigate the risk. These measures can be anything from implementing the necessary Annex A controls, to procedural or organizational changes.
While risk management can seem like a challenge at first, when broken down, it becomes a little easier. In acknowledgement of the difficulty organizations may face, ISO has produced a number of guidance documents. The most useful of all is ISO 31000. With the guidance available, and buy in from key stakeholders, risk management can be turned from a time consuming challenge to an organizational advantage.