Conducting a risk assessment is a critical step in getting ISO 27001 certified. Your risk assessment guides your implementation and helps you identify the controls your organization needs to reduce its risk. In this article, we’ll explain what an ISO 27001 risk assessment is, how to perform a risk assessment, and how to use your findings to get ISO 27001 compliant.

‍

What is ISO 27001 risk management?

For ISO 27001, risk management is a combination of two components: risk assessment and risk treatment. Risk assessment is the process of identifying potential risks your organization faces and risk treatment is the actions taken to minimize those risks — both are required elements of ISO 27001 compliance.

‍

What is an ISO 27001 risk assessment?

Early in your ISO 27001 compliance project, you’ll need to conduct a risk assessment where you identify and analyze potential risks to your information security management system (ISMS). As part of your preparation process, you’ll need to determine the likelihood of each identified risk and the impact it would have on your data security if the risk were to occur.

‍

Conducting a risk assessment is required to be ISO 27001 compliant and guides the rest of your ISO 27001 implementation. Based on what risks arise, you’ll use that information to determine which ISO 27001 controls to implement to mitigate those risks.

‍

{{cta_withimage2="/cta-modules"}}

‍

How to conduct an ISO 27001 risk assessment

Your ISO 27001 risk assessment is one of the earlier steps in your compliance project. In the next section, we’ve broken down the steps of a risk assessment.

‍

‍

Develop your risk assessment methodology

‍The first step in creating a comprehensive risk assessment plan is to define your methodology. This includes determining how you will identify and address security vulnerabilities, how you plan to assign an owner to each risk, and how you’ve prioritized them. 

‍

Include the following components in your methodology:

‍

• A plan for identifying and documenting vulnerabilities that could compromise your data.
• A strategy for determining who in your organization should own each risk. This typically involves designating a staff member with knowledge of the organization to assign owners.
• A methodology for determining the likelihood that a risk will happen and the extent of the consequences if the risk does occur. It’s also important to rank the priority of each risk (such as using a numbered scale).
• Criteria for determining which risks you will address and when, based on priority rankings.

‍

Identify risks and vulnerabilities

Next, you’ll need to determine the risks that could compromise your security. Start by taking inventory of your information assets — consider your data storage locations, any devices or hardware that can reach your data, your network, software, and so on. Then create an extensive list of potential threats; some examples could be an employee’s laptop being stolen or an office visitor accessing an employee’s password.

‍

Analyze and prioritize risks

Now that you have a list of potential risks, determine how critical each one is to solve for and prioritize your risk treatment accordingly. This should be determined by how likely it is for this risk to occur and how severe the impact would be if it did. Go through your list of risks and determine if the likelihood is low, medium, or high for each one and do the same for each risk’s impact level.

‍

After you’ve set the likelihood and impact levels for each risk, use that information to prioritize the risks you need to address first. The risks that have both a high likelihood and a high impact ranking should be considered high-priority. 

‍

Mitigate identified risks

Next, you’ll need to use that list to take action on those risks. Look at each risk and determine ways to make it less likely to occur and reduce its impact. Identify which of the ISO 27001 Annex A controls to use to mitigate each one. Be sure to keep records of the Annex A controls you used for each risk so you can include this in your Statement of Applicability for your auditor to review.

‍

Complete risk reports

You’ll need evidence to prove that you’ve performed your risk assessment as well since your auditor will need to verify that you’ve done this step during your audit.

‍

To ensure you have sufficient evidence, create the following reports for your auditor:

‍

• Risk assessment report: A report of your risk assessment process and the steps you followed, what information assets you reviewed to identify those risks, which risks you found, and the likelihood and impact ratings you gave each risk.
• Risk summary: A shorter report explaining which risks you’ve chosen to address.
• Risk treatment plan: A plan that includes all the risks you plan to address through your ISO 27001 compliance along with your plan for mitigating each one.

‍

You may also want to consider starting your Statement of Applicability (SoA) at this stage as well as this document details how you’ve treated the risks you’ve identified. The SoA is a detailed report of the ISO 27001 controls you’ve implemented as a result of your assessment.

‍

Continually monitor and review your ISMS

Proper risk assessment is an ongoing process, not a one-time task. Whenever there are changes to your data storage, your network, or other aspects of your operations, new risks can arise. As part of your ISO 27001 risk assessment process, create a plan to continuously monitor for new risks or any changes that could alter the likelihood or impact of known risks. ISO 27001 certification requires you to conduct a full risk assessment at least once per year, but additional routine risk assessments will help you stay secure year-round.

‍

Tips for successful ISO 27001 risk management

Your risk management process has a downstream impact on the reliability of your results, the likelihood that you’ll pass your audit, how secure your data is, and how efficient the process is. As you follow the above steps, keep these tips in mind to execute your risk management strategy as effectively as possible.

‍

‍Align your risk methodology with your organization

There is no universal risk assessment methodology that works for every organization. Your methodology should align with the format of your organization. For instance, one organization might assign its CTO to determine risk ownership, while another organization might assign their head of security with risk ownership.

‍

Create a plan that works for your organization and team. If your organization is restructured or significantly changes at any point, review your risk assessment methodology to determine if it needs to change as well.

‍

Make your risk management process reasonable

Your risk management process needs to be thorough yet sustainable. If your methodology is overly ambitious and your team can’t keep up, it will be less effective. Cover as much of your risk as you can, but understand where your resources may be capped when it comes to remediating and mitigating risk. 

‍

Keep your documentation organized

As you develop your risk assessment methodology, keep your documentation in an accessible place. This will make your audit go smoother since your auditor will be able to quickly find the documentation they need. This also makes it easier for your team to access these documents when conducting internal audits or routine risk assessments. 

‍

Streamline risk assessments with Vanta

If you’re overwhelmed with ISO 27001 risk assessments, don’t worry — Vanta can help! 

‍

Vanta’s trust management platform provides guidance with step-by-step instructions for identifying gaps, assessing your risks, and implementing the applicable ISO 27001 controls. We provide a centralized repository for you to keep all your documentation and automate up to 80% of the work required to obtain ISO 27001. 

‍

{{cta_simple2="/cta-modules"}}