Creating a successful ISO 27001 risk assessment

When it comes to protecting your company or business from online risks, a full risk assessment is necessary. But does your risk assessment meet the requirements of ISO 27001? And what exactly is this? Well, here at Creative Network Solutions, we are Preston’s leading IT support and network services experts. From secure remote access services to business VoIP, we are the team you can count on. And this is our guide to everything you should know about ISO 27001 risk assessment creation.

What is ISO 27001?

This is the international standard for information security. It sets out the specification for an information security management system (ISMS). This involves developing a best-practice approach to help organisations manage their information security by addressing people, processes and technology.

What are the steps for creating a successful ISO 27001 risk assessment?

So how can your company or business establish a risk assessment that will meet the best practices and standards set by the ISO 27001? Well, there are a number of things to consider, including:

  • Defining your methodology- this will involve understanding the context of your company, and the risk criteria that applies to your business. This needs to be clearly defined so that risks can be clearly identified. Finally, you will need to determine your risk acceptance criteria to establish which residual risks you are happy to accept.
  • Take an assets approach- an assets approach allows you to identify all of your information assets and this can be more effective than planning a situational approach to the risk assessment. As part of the information assets you should consider hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.
  • Identify threats and vulnerabilities- With a thorough list of all information assets you can then identify the threats and vulnerabilities associated with these. The risk threat will differ for each type of information asset, and its purpose.
  • Evaluate the risk- by using the earlier risk criteria that you created you will be able to evaluate which risks are the biggest and which ones will need to resolved first. You will also be able to score each risk associated with the different information assets.
  • Mitigate the risk- there are four different ways that businesses and companies can mitigate the risks. These include:
    • Modify the risk by applying security controls to reduce the likelihood of it occurring and/or damage it will cause.
    • Retain the risk – accept that it falls within previously established risk acceptance criteria or via extraordinary decisions.
    • Avoid the risk by changing the circumstances that are causing it.
    • Share the risk with a partner, such as an insurance firm or a third party that is better equipped to manage the risk.
  • Create a risk report- this is necessary for audit and certification purposes and involves the risk treatment plan and the statement of applicability.

For more information or advice about your network security, systems, or cloud solutions, why not ask the experts today, here at Creative Network Solutions.