What is a risk assessment in ISO 27001?

An information security risk assessment is a method that helps organisations identify risks to their operations that come from their information systems. This assessment also helps companies prioritise the types of risks they need to take action about based on pre-established criteria.

Risk assessments look at many ways that a risk could impact the company. Direct losses, such as those that affect income, are a part of the evaluation. However, indirect consequences also need to be accounted for. The loss of company reputation can have greater long-term damage than the initial losses. When organisations put together a risk assessment, they identify ways to limit the threats and minimize losses that could happen. 

Types of Risk Assessment

Three primary types of information security risk assessments exist.

Threat-Based

A threat-based assessment looks at the damage that the threat could cause if it happens, whether it's a strong possibility to occur and the systems that could be impacted.

Event-Based

An event-based risk considers what could happen if an unforeseen situation occurs that could have a negative impact on the information systems. While an organisation can't predict every possible threat, it can have procedures in place to quickly adapt to an emergent situation.

Asset-Based

Asset-based risk assessment keeps the importance of each affected system in mind when determining whether a risk is acceptable. Something that could take down a mission-critical system, for example, would be considered a greater risk than an issue that could result in minor disruptions.

ISO 27001 Guidance for Risk Assessment

The ISO 27001 has guidance for organisations working on their information security risk assessment and putting treatment plans in place to handle potential problems. The first thing to consider is the organisation and its overall context. For example, upper management may be more or less accepting of potential risks and this preference plays a part in the assessment. The feasibility of the proposed treatment plans and the resources required to implement it is another aspect to consider. If the risk is not accounted for, what type of consequences could result from the lack of the procedure?Every risk in the organisation should be considered and the assessment criteria need to be consistent. Without consistent criteria, it's impossible to see whether a business is decreasing the risks to its systems. All risk acceptance criteria must be clear and cover the outcomes of the risk happening. Confidentiality, availability and integrity of data stay in the forefront of all these considerations. The organisation should use quantitive and qualitative values in the assessment to create a baseline for risk comparison. Once the company completes the risk assessment for its information security systems, it has the information it needs to put the appropriate protections in place. This data also guides decision-makers when new risks appear.