One of the core requirements of the ISO 27001 standard for information security is that organizations perform a...
formal risk assessment that identifies, analyzes and evaluates the risks facing an organization. Recent revisions to the standard removed requirements that dictated the specific process an organization must follow to achieve those standards, but organizations adopting ISO may consider using the ISO 31000 risk management process. ISO 31000 proposes a three-stage process for risk management that conforms to industry-accepted best practices.
Stage one: Establishing the context
In the first stage of the ISO 31000 risk management process, organizations should establish the context of the risk assessment as it relates to both internal and external factors. The most important deliverable from this stage is establishing the objectives and scope of the risk assessment. The organization should have a clear statement of purpose for the assessment and everyone involved should understand what business processes and technologies are included within the assessment's scope.
After setting the objectives and scope, the organization should spell out the factors affecting the assessment. This should include external factors such as the legal and regulatory environment, political considerations, economic circumstances and the views of external stakeholders. It should also include internal factors such as the organizational structure, corporate governance, business processes and technologies.
Stage two: Risk assessment
The risk assessment phase has three goals: risk identification, risk analysis and risk evaluation. During the risk identification step, the organization develops a comprehensive list of the risks that might prevent it from achieving its objectives, as well as the causes and possible outcomes of those risks materializing. This information is considered carefully during the risk analysis, where the organization conducts qualitative and/or quantitative assessments of those risks. The risk assessment stage culminates in the risk evaluation step, where the organization decides which risks are significant enough to require active management and prioritizes that list.
Stage three: Risk treatment
During the risk treatment stage, more commonly referred to as the risk management stage, the organization implements controls designed to reduce risk, assess the effectiveness of those controls and implement additional controls on an as-needed basis. The controls performed during the risk treatment stage may include measures designed to decrease the probability or impact of a risk, avoid a risk entirely by altering business processes, take justified risks, and transfer the risk to third parties, such as insurance companies.
In addition to the three core stages of the risk assessment process, ISO 31000 recognizes that there are two equally important complementary processes that should occur at every stage of the assessment: communication and consultation, and monitoring and review. Organizations conducting an assessment should keep stakeholders informed throughout the process and conduct monitoring to ensure the process is effective.
The ISO 31000 framework is an excellent reference for organizations planning their risk assessment processes. It offers a useful approach for self-initiated assessments as well as those dictated by regulatory requirements, such as ISO 27001 certification, the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). This is just a brief overview to introduce the process, but any organization considering implementing ISO 31000 should carefully read the full standard.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as a site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.
Learn more in this introduction to the ISO 31000 risk management standard
Are you in compliance with ISO 31000?
Discover how compliance with ISO 31000 supports risk management initiatives