Tip

A free risk assessment template for ISO 27001 certification

In today’s business environment, protection of information assets is of paramount importance.  It is vital for a company to demonstrate and implement a strong information security framework

    Requires Free Membership to View

in order to comply with regulatory requirements as well as to gain customers’ confidence. ISO 27001 is an international standard designed and formulated to help create a robust information security management system. It is a systematic approach to managing confidential or sensitive corporate information so that it remains secure (which means available, confidential and with its integrity intact).

ISO27001 explicitly requires risk assessment to be carried out before any controls are selected and implemented. Our risk assessment template for ISO 27001 is designed to help you in this task. Although specifics might differ from company to company, the overall goals of risk assessment that need to be met are essentially the same, and are as follows:

  • Identify risk.
  • Determine if existing control measures are adequate as per company’s appetite for risk.
  • Reduce the level of its risk by adding precautions or control measures, as necessary.

What is risk assessment?

To start from the basics, risk is the probability of occurrence of an incident that causes harm (in terms of the information security definition) to an informational asset (or the loss of the asset). In essence, risk is a measure of the extent to which an entity is threatened by a potential circumstance or event. It’s typically a function of the adverse impacts that would arise if the circumstance or event occurs, and the likelihood of occurrence.

The purpose of risk assessment is to identify:

  • Threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the nation.
  • Vulnerabilities internal and external to organizations.
  • Adverse impact to organizations that may occur given the potential for threats exploiting vulnerabilities.
  • The likelihood that harm will occur.

The end result is determination of risk—that is, the degree and likelihood of harm occurring. Our risk assessment template provides a step-by-step approach to carrying out the risk assessment under ISO27001:

  • Calculate the asset value.
  • Identify vulnerability.
  • Identify threats.
  • Identify probability of threat and impact severity.
  • Calculate risk score.
  • Ascertain and establish controls.

Identify the assets and their value

Identifying assets is the first step of risk assessment. Anything that has value and is important to the business is an asset. Software, hardware, documentation, company secrets, physical assets and people assets are all different types of assets and should be documented under their respective categories using the risk assessment template. To establish the value of an asset, use the following parameters: 

  • Cost of the actual asset.
  • Cost to reproduce it.
  • Cost if stolen.
  • Value of intellectual property.
  • Price others are willing to pay for the asset.
  • Cost to protect the asset.

Once this is done, map each asset to its confidentiality, integrity and availability (CIA) levels and arrive at a rating. Typically, the categories for asset value could be Very High, High, Low and Medium.

  • Identify vulnerabilities

Vulnerabilities of the assets captured in the risk assessment should be listed. The vulnerabilities should be assigned values against the CIA values.

A vulnerability is the existence of a weakness, or error in design/implementation, that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or process involved. The goal here is to identify vulnerabilities associated with each threat to produce a threat/vulnerability pair.

Vulnerabilities could be categorized as Very High, High, Low, and Medium.

  • Identify threats

A threat is a potential event that may cause an unwanted, harmful incident. In the risk assessment template, threats are generally categorized under headings such as malicious activity, malfunction, people and environmental and then scored as Very High, High, Medium, or Low.

Identify probability and business impact of potential threats

The next step using the risk assessment template for ISO 27001 is to quantify the probability and business impact of potential threats as follows:

  • Frequency with which the threat could take advantage of the vulnerability.
  • Productivity loss and cost.
  • Extent and cost of physical damage that the threat could cause.
  • Value lost if confidential information is leaked.
  • Cost of recovering from a virus attack.

The impact severity is calculated as shown below

Impact severity = Asset value x threat severity x vulnerability severity

Determine the probability that a threat will exploit vulnerability. Probability of occurrence is based on a number of factors that include system architecture, system environment, information system access and existing controls; the presence, motivation, tenacity, strength and nature of the threat; the presence of vulnerabilities; and, the effectiveness of existing controls.

Calculate risk score

The risk score is calculated as follows

                                         Risk Score = Impact severity x probability

The risk score may be depicted as below:

Risk Score

Description

Low

Accept

Medium

May need to add additional control

High

Need to treat

Very High

Requires immediate attention

Risk treatment plan

After the risk assessment template is fleshed out, you need to identify countermeasures and solutions to minimize or eliminate potential damage from identified threats.

A security countermeasure must make good business sense, meaning that it must be cost-effective, with benefits outweighing the costs. This requires a cost/benefit analysis.

A commonly used cost/benefit calculation for a given safeguard is:

(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company.

For example, suppose the Annualized Loss Expectancy (ALE) of the threat of a hacker bringing down a Web server is Rs 12,000 prior to implementing a suggested safeguard and Rs 3,000 after implementing the safeguard. If the annual cost of maintenance and operation of the safeguard is Rs 650, then the value of this safeguard to the company is Rs 8,350 each year.

This was first published in July 2012

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.