Five steps for successfully implementing an ISO 27001 risk assessment framework

Published: Friday, 09 November 2018 09:18

Gemma Platt shares five critical steps that businesses need to take in order to embed and embrace ISO 27001 risk assessments within their data protection processes.

If 2017 was the worst year for cyber attacks, according to the Online Trust Alliance, 2018 hasn't been much better. While we haven't yet seen a cyber incident on the scale of 2017's huge WannaCry and NotPetya ransomware attacks, which hit thousands of organizations globally, there have been many high-profile and damaging breaches.

Incidents like these can impact businesses in a number of ways. Operational systems can grind to a halt, leading to lost sales and revenues. The reputational repercussions of a data breach can travel fast in the age of social media, and be almost impossible to recover from. Finally, the introduction of GDPR adds a level of complexity that can leave businesses liable for fines of up to 4 percent of their annual global turnover in the wake of an incident.

Given that last year’s major incidents had such a significant impact on large international enterprises with huge cyber security resources at their disposal, it's understandable that small and medium sized businesses feel they have little chance of being able to defend themselves in the ever-growing threat landscape. However, that's not the case. Developing an effective cyber security posture is a procedure that can be followed and continuously measured; that process is ISO 27001.

Understanding the basics of ISO 27001

While ISO 27001 is not mandatory, it is considered the gold standard, and is one that most organizations uphold as a means of demonstrating a best-practice information security management system (ISMS). It follows a risk-based approach to securing corporate information assets associated with people, processes and technology, ultimately delivering a logical framework and a clear audit trail, which is particularly helpful should an incident occur and your organization be required to report a data breach.

Nevertheless, ISO 27001 can be challenging to secure and maintain. This is due in part to businesses continuing to rely on inefficient, time consuming and archaic methods of data collection, with spreadsheets piling high on security analysts’ desks. The requirement to re-evaluate risk assessments on an annual basis makes these manual processes even more labour intensive, which is why businesses are increasingly adopting electronic, automated processes to remove the potential for human error and the burden of work.

How then can an organization ensure it follows and applies the best practice set out in this standard? Here are five steps organizations need to follow to ensure successful execution:

Establish a risk assessment framework

Clause 6.1.2 of ISO 27001 mandates that risk assessments must be ‘consistent, valid and comparable’. In turn, this means your process must be objective, transparent and auditable, with a formal methodology that will produce consistent results each time, even when followed by different risk assessors.

To set out such a process, begin by identifying the business, regulatory and contractual requirements you have to meet in respect of information security – this might include the requirements of the GDPR or PCI DSS, for example. The point is you are starting with the context of your business, and the controls you are required to adopt in order to avoid fines and other sanctions, demonstrating to your customers and other stakeholders that you take the integrity of their data seriously. A risk assessment tool will help you identify which controls have been adopted.

Then, establish a ‘risk scale’ – that is, a combination of likelihood and impact. Likelihood is typically measured as frequency of occurrence (a typical scale might range from ‘once per year’ to ‘every second of every day’). Impact is more complex, and can involve financial loss, reputational damage, operational disruption and other factors, or a combination of these, all of which have to be reduced to a standard measure.

The risk scale is the number of options your methodology allows for both in terms of impact and likelihood. Experienced practitioners know that too much granularity – therefore too many options – makes risk assessment more complex and less consistent.

Also, consider an asset-based approach to risk assessment. Build a database of critical and valuable assets (for example, records of personal data) and assess events that might affect the security of each asset.

Good risk assessment tools should have compatible and integral asset databases. Assets can be split into multiple types to ensure that all relevant assets are identified and their owners defined. Such types will include information and data, hardware and software, physical locations and storage, systems and services, people and organizations, and intangible assets such as reputation.

Identify risks

Although identifying risks is relatively straightforward, it is often the most time-consuming part of the entire risk assessment process.
Risks cannot exist without three components: an asset that requires protection; a threat that can affect it; and a vulnerability that allows the threat to affect the asset. A common asset, for example, is a database of customer details including financial or personally identifiable information. This is a tempting target for cyber criminals, and the reputational damage and repair costs involved in dealing with a breach can be substantial.

Vulnerability is something that is part of the asset – a weakness in its perimeter protection for example - whilst a threat is external to the asset – say a cyber criminal seeking to steal personal data. Assets can have multiple threats that can affect them via multiple vulnerabilities. It is therefore important for the lead risk assessor to work with risk and/or asset owners to identify all the events that might compromise the confidentiality, integrity or availability of each asset and, for each event, analyse the risk and determine the likely impact on the organization.

Good risk assessment software should enable multiple users to work on a shared risk assessment and its supporting database in a way that maintains data integrity and provides a robust audit trail of each task carried out and by whom.

This is also the time to identify the controls that you already have in place so that you do not unnecessarily duplicate existing measures. Current controls should also be checked to determine whether they work properly or need to be removed, replaced, modified or supported by other controls.

Analyse risks

Risk analysis typically involves understanding how the threat might occur, which usually requires you to identify a specific vulnerability in your asset and a threat that might exploit that vulnerability.
For each event you identify, you should be able to assess the likelihood of each threat exploiting individual vulnerabilities and assign them a score or value.

Impact types could include human, financial, legal, regulatory, reputational and operational. Likelihood factors could include frequency of occurrence, previous occurrence, current levels of security control, size of attack group and knowledge of vulnerability.

Useful risk assessment software comes with built-in lists of threats and vulnerabilities, usually with appropriate links between them already defined. This removes the need for you to invest time and energy building your own database of threats and vulnerabilities, and should help accelerate and simplify the process of risk analysis. You should also be able to analyse risks on the basis that your baseline security controls are in place and effective.

Evaluate risks

Your risk assessment software should automatically collect the results of your risk analysis, calculate where each risk sits on your risk scale and, in particular, identify whether the risk falls within your predetermined level of acceptable risk.

You should very quickly be able to identify your highest risks and, therefore, prioritise which risks should be addressed and in which order.

Select risk management options

Once you have evaluated each risk and sorted them into order of priority, you should decide how to respond to them. There are four common responses: modification, usually by implementing security controls; retention, that is, accepting the risk; avoidance by ending the associated activity or circumstance; and sharing the risk, generally by insuring or outsourcing.

Your risk assessment methodology should define the criteria that enable these decisions to be made consistently. Your risk assessment software should then, for all the risks that you have decided to treat, provide a range of possible controls that could be applied to reduce the likelihood and/or impact, and finally, produce the two documents that are required by ISO 27001: the Statement of Applicability (SoA) and the risk treatment plan.

A risk-based approach is the most comprehensive and contextualised method to secure your organization’s vital systems and data. It is ultimately the best way to stay ahead of the game in a world of ever-evolving cyber threats – and positioning your organization as proactively as possible should the worst happen.

The author

Gemma Platt is Managing Executive at Vigilant Software.