The risk assessment is a very significant and time consuming element of the ISMS implementation programme. A slight error in the risk assessment strategy may delay a critical implementation programme by many months. The structure provided in ISO27001 is rather prescriptive, and if a certification/ registration assessment is to be conducted against this standard, it is crucial that the process of risk assessment can be evidenced as closely following these requirements. The steps are outlined as follows:-
1) Identify the information assets and information handling assets within the scope of the ISMS and identify the asset owner
of each of these assets. A good way of identifying the assets is to map the business processes which fall within scope and list the assets required for the input, execution and output of these processes.
2) Identify the impacts of loss of confidentiality, availability or integrity of these assets. This impact could be financial, loss of reputation or loss of material ability to perform some aspect of business operations.
3) Identify the threats to those assets which could lead to the loss in confidentiality, availability or integrity of the asset.
4) For each of the identified threats, identify the vulnerabilities which can be exploited by the threat. It is very important that everyone involved in the risk assessment (which may well be all asset owners) is very clear of the definition of a threat (e.g. malicious code) as opposed to the vulnerability (e.g. lack of regularly updated virus protection software).
5) Assess the levels of business impact whch could potentially arise from the loss of confidentiality, availability or integrity of the assets as defined in point 2 above.
6) Assess the likelihood of occurrence of the threat, and the level of vulnerability. This will yield the likelihood of a particular threat exploiting a particular vulnerability and impacting the confidentiality, availability or integrity of a particular asset, known as the Risk of Exposure.
7) Estimate the level of risk based on the level of business impact and the risk of exposure.
8) Identify those risks which fall outside the criteria stipulated by management as input into the risk treatment plan