Risk assessment is the one area of certification that causes many organisations difficulty. It can require a comprehensive technical understanding of information security threats, combined with the ability to express these in a business language that can be understood by decision makers. Your decisions regarding information security developments, and how you interpret the results of incident reviews, and audits (internal and external), are based on this process.
The flexibility within the standard to choose controls is based upon you demonstrating a rigorous risk assessment process to justify your decisions. This particularly applies to control exclusions, limitations to the scope, and any risks that you decide to accept and not develop countermeasures for.
While the ISO 27001 standard provides a framework for managing information security, it does not provide an absolute level of security. Through the risk assessment process you may choose to accept risks and not necessarily eliminate them. It is therefore expected that you will have a number of identified risks that you partly mitigate against but that residual risks may still remain.
The importance of the risk assessment process is reflected by the fact that the required elements are all mandatory clauses within the ISO27001 standard.
The process can commence with a brainstorming exercise identifying a number of risk scenarios and their relationship to your key information assets. This should include assessment of the impact on these information assets where security incidents could involve:
Confidentiality – ensuring that information is accessible only to those authorised
Integrity – safeguarding the accuracy and completeness of information
Availability – ensuring that authorised users have access to information
Risk assessment must be an ongoing process which should be subject to regular updates and management review. As your ISMS develops, it should be central to your information security planning and decision making process.