5 critical steps to

successful ISO 27001

risk assessments
January 2016
Introduction
This white paper describes the five key steps to completing a successful ISO 27001 risk
assessment that will form the centre of an organisations information security management
system. Risk assessment can be complex but, because best practice is already established,
no one really needs to work out for themselves, through trial and error, how to do it.

Anyone can follow and apply the best practice set out in this white paper. Most
organisations will want to streamline their risk assessment process so that this best
practice becomes embedded. This is most easily done by acquiring and using a standard
ISO 27001 risk assessment software tool. This white paper therefore also describes a
number of the key features you should look for in an ISO 27001 risk assessment tool.

Five steps to successful risk assessments

A risk assessment process that meets the requirements of ISO/IEC 27001:2013 should
have five steps:

1. Establish a risk assessment framework

2. Identify risks
3. Analyse risks
4. Evaluate risks
5. Select risk management option

Experienced information security and risk management practitioners know that manual
risk assessment methods are highly dependent on one or two individuals within the
organisation, are time-consuming (trial and error) and costly to create, and often suffer
from data and process inconsistencies that undermine the integrity and dependability
of the results. They will therefore always use a purpose-built ISO 27001 risk assessment
software tool, and one that follows the five steps above in order to achieve their
organisations risk management objectives consistently and cost-effectively.

www.vigilantsoftware.co.uk +44 (0)845 003 8228

 Book a live, one-to-one
vsRisk demonstration >>
1. Establish a risk assessment framework
Risk assessment is a formal, top management-driven process, and it sits at the heart of an
effective information security management system (ISMS) so much so that it is a central
requirement specified in ISO/IEC 27001:2013.

Formal methodology
ISO 27001 (clause 6.1.2) requires the organisation to define and apply a risk assessment
process. A key requirement of this process is that it must produce consistent, valid
and comparable results. In practical terms, this means that the risk assessment process
should be objective, transparent and auditable; competent risk assessors should be able
to analyse and evaluate a range of risks and reach consistent results, irrespective of who
carries out or reviews the risk assessment.

Long-term, consistent, robust and transparent results are one of the key reasons for
using formal risk assessment software tools; all future risk reviews, and additional
risk assessments, can then be performed quickly and easily in a standardised and
well understood environment. Good ISO 27001 risk assessment tools are, in practice,
designed and built to incorporate the five steps.

A formal risk assessment methodology has to address four issues, and has to be approved
by top management:

Baseline security criteria

Risk scale
Risk appetite
Scenario- or asset-based risk assessment

Baseline security criteria

As part of establishing the context for the ISMS (as required in clauses 4.1 and 4.2 of
ISO 27001), the organisation should identify the business, regulatory and contractual
requirements it has to meet in respect of information security. We call these requirements
the baseline security criteria and, in order to meet these criteria, the organisation should
implement a range of information security controls. Criteria include, for instance, privacy

www.vigilantsoftware.co.uk +44 (0)845 003 8228

regulations that might require access controls in relation to personally identifiable
information (PII) held by the organisation.

The first step in a risk assessment is for the lead risk assessor to ensure that the
organisation has correctly identified and implemented all of its necessary baseline security
controls. If you are using a risk assessment tool, you should be able to identify which of
these controls have been adopted.

Risk scale
The second step is to establish what is called the risk scale. Establishing the risk scale can
be one of the most challenging aspects of establishing an ISMS and is one of the areas in
which organisations often benefit from external expert assistance.

In simple terms, risks are defined as a combination of likelihood and impact: a risk has to
be likely to occur and, if it does, it has to have an impact on the organisation otherwise,
why bother worrying about it in the first place?

A risk scale can typically be imagined as a standard graph, where likelihood (of an event
happening) is the vertical axis and impact (on the organisation) is the horizontal axis. The
basis of measurement can be either qualitative or quantitative. The basis of measurement
can be either qualitative or quantitative; qualitative is the most widely used because
"impact" is almost impossible to boil down to a single quantitative value. Some things
don't have a cash value. Some impacts are more troublesome because of the time
involved. Likelihood would benefit enormously from using a quantitative method, but it's
not too common to see them mixed like that.

Likelihood is typically measured as frequency of occurrence (a typical range might be

from once per year to every second of every day. Never would not appear on the
scale at all if something will never happen, its not a risk, is it?). Frequency of occurrence
is typically established on the basis of historic evidence, perhaps informed by forecasts
of future changes. Typically, the points on the likelihood axis might range from highly
unlikely to highly likely.

Impact is more complex, and can involve financial loss, reputation damage, operational

www.vigilantsoftware.co.uk +44 (0)845 003 8228

 Book a live, one-to-one
vsRisk demonstration >>
disruption, some other factors, or some combination of the
above, all of which have to be reduced to a standard measure. Considerable effort is
usually required to arrive at a basis of determining impact that will be widely understood
inside the organisation and, in particular, by those responsible for information security
management. Typically, the points on the impact axis might range from very low impact
to very high impact.
The risk scale is the number of options your methodology allows, for both impact and
likelihood. Experienced practitioners know that too much granularity too many options
makes risk assessment more complex and less consistent. Practice teaches that the
optimum risk scale for smaller organisations is a 3 x 3 scale and, for larger organisations, a
5 x 5 scale.

Risk appetite
Youre going to use your risk scale to analyse risks and to determine how youre going to
respond to identified risks. All organisations are happy to live with or accept a certain
level of risk. Events that are highly unlikely to happen or that, if they do happen, are
highly unlikely to disrupt the organisation, might be risks that management is prepared to
tolerate in other words, the sort of risk that management is not going to take action to
deal with.

The range of risks that management is prepared to tolerate falls within its risk appetite
and can be clearly identified on a risk assessment graph, as shown in the shaded area
below.

(very high) 5 Risk Level

5
Risk Level
6
Risk Level
7
Risk Level
8
Risk Level
9

Risk Level Risk Level Risk Level Risk Level Risk Level
(high) 4 4 5 6 7 8

Risk Level Risk Level Risk Level Risk Level Risk Level
(medium) 3 3 4 5 6 7

Risk Level Risk Level Risk Level Risk Level Risk Level
(low) 2 2 3 4 5 6

Risk Level Risk Level Risk Level Risk Level Risk Level
(very low) 1 1 2 3 4 5
Impact
1 2 3 4 5
(very low) (low) (medium) (high) (very high)

www.vigilantsoftware.co.uk +44 (0)845 003 8228

Best-practice risk assessment software should make the process of selecting and working
with an appropriate risk scale, and identifying and applying the organisations risk
appetite, relatively straightforward.

Scenario- or asset-based risk assessment

A risk assessment can be carried out by identifying situations or circumstances in which
risks can arise (e.g. a typhoon) and then identify assets that might be impacted, or it can
start with a database of critical and valuable assets (e.g. a database with PII personally
identifiable information) and assess events that might impact the security of that asset.
Whichever approach you choose (and the asset-based approach gives the more consistent
and robust results), you will need an asset database to support your risk assessment, as
you will need to track risk changes over time in relation to each of your assets.

Good risk assessment software tools will allow for both scenario- and asset-based risk
assessments, and their asset databases should therefore be compatible with and integral
to the risk assessment software.

Youre also going to want to import assets from a range of sources as well as directly
entering some specific asset data. Not only should a risk assessment tool support
data imports, it should enable you to deal with assets as part of a group, rather than
individually. This is because many assets e.g. laptops have similar characteristics to
other laptops, and face similar risks; rather than assessing risk laptop by laptop, it is more
efficient to apply a common set of risks to all the laptops within a specific laptop asset
group, both initially and in the future. Risk assessment tools that allow risks to be dealt
with in this way are ideal.

2. Identify risks
While this is a relatively straightforward activity, it is the most time-consuming part of the
whole risk assessment process. Typically, your lead risk assessor works with risk and/or
asset owners within the organisation to identify all the events that might compromise the
confidentiality, integrity and/or availability of each of the assets that is within the scope of
your ISMS, and, for each event, to analyse the risk and determine the likely impact on the
organisation.
Good risk assessment software should enable multiple users to work on a shared risk

www.vigilantsoftware.co.uk +44 (0)845 003 8228

 Book a live, one-to-one
vsRisk demonstration >>
assessment and its supporting database in a way that
maintains data integrity and provides robust audit trail of who has done what.

3. Analyse risks
Risk analysis typically involves understanding how the risk might occur, which usually
requires you to identify a vulnerability in your asset and a threat that might exploit that
vulnerability. A vulnerability is something that is part of the asset, while a threat is external
to the asset. This level of analysis is essential if you are to make practical and cost-
effective decisions about how to respond to an identified risk. For instance, an unpatched
operating system will display multiple vulnerabilities, all of which could be exploited by
external (to the OS) threats such as hackers, disgruntled staff or even other applications.
Obviously, for each of the events you identify, you will want to be able to analyse the risk
and assess the likelihood of each threat exploiting each linked vulnerability.

Useful risk assessment software comes with built-in lists of threats and vulnerabilities,
usually with appropriate links already defined. This removes the need for you to invest
time and energy in building your own database of threats and vulnerabilities, and should
help accelerate and simplify the process of risk analysis. You should also be able to
analyse risks on the basis that your baseline security controls are in place and effective.

4. Evaluate risks
Your risk assessment software should automatically collect the results of your risk analysis,
calculate, for each risk, where it sits on your risk scale and, in particular, identify whether or
not the risk falls within or outside your predetermined level of acceptable risk. You should
very quickly be able to identify your highest risks and, therefore, to prioritise which risks to
address in what order.

www.vigilantsoftware.co.uk +44 (0)845 003 8228

5. Select risk management options
The four management options for each risk are:
Tolerate ('accept')
Terminate ('reject')
Transfer (usually through insurance)
Treat ('control')

Your risk assessment methodology should contain the formal criteria that enable these
decisions to be made consistently. Your risk assessment software should then, for all the
risks that you have decided to treat, provide a range of possible controls that could be
applied to reduce the likelihood and/or impact. Ideally, you would want access to the
controls listed in Annex A of ISO 27001, as well as those contained in other frameworks,
from the PCI DSS to NIST SP 800.

Once youve selected controls that will reduce identified risks to acceptable levels, you
want your risk assessment software to produce the two documents that are required
by ISO 27001 and in a format that will immediately meet those requirements: the
Statement of Applicability and the risk treatment plan.

Of course, you would also want dynamic links from within your risk assessment tool to
the exact documentation that deals with implementation of each control; even more
importantly, youre likely to want a management dashboard that tells you, at a glance,
where you are with your risk assessment and the status of identified risks.

Invest in a robust risk assessment tool

You can invest time, effort and money in designing and deploying or having a consultant
design and deploy a manual risk assessment methodology.

Dont waste the time or the money.

Buy and deploy vsRisk instead.

www.vigilantsoftware.co.uk +44 (0)845 003 8228

 Book a live, one-to-one
vsRisk demonstration >>
Three reasons for using vsRisk in your ISMS
today
1. vsRisk, out of the box, provides a robust ISO 27001-compliant risk assessment
methodology, and dependably delivers each of the five steps to a successful risk
assessment.
You don't need to spend any time on developing your own risk assessment methodology
or on costly trial and error you can immediately get to work on the actual risk
assessment, which means you get actionable results much sooner.

2. You will find that you spend more time maintaining your risk assessment than you
invested setting it up, so it makes sense to lock-in future efficiencies at the outset. vsRisks
robust methodology means that upcoming risk reviews and further risk assessments can
be performed quickly, consistently and cost-effectively.

3. vsRisk has nearly ten years of development invested in it. It already incorporates
feedback and experience from hundreds and hundreds of ISO 27001 risk assessments,
and is supported by an ongoing investment and user support programme that regularly
brings additional useful functionality and features to help you continually improve your
own ISMS.

About the Author

Alan Calder, Founder and Executive Chairman: IT
Governance Ltd
Alan Calder is an acknowledged international cyber security
expert and a leading author on information security and IT
governance issues.
Alan co-wrote (with Steve Watkins) the definitive compliance
guide, IT Governance: An International Guide to Data
Security and ISO27001/ ISO27002 (now in its sixth edition), which is the basis for the
UK Open Universitys postgraduate course on information security. This work draws on
his experience leading the worlds first successful implementation of BS 7799 (now ISO
27001).
Alan has been involved in the development of a wide range of information security
management training courses, software, tools and resources. He also teaches various
information security courses, and consults widely for clients in the UK and abroad. He is a
regular media commentator and speaker at international conferences and events.

www.vigilantsoftware.co.uk +44 (0)845 003 8228

About Vigilant Software
Vigilant Software aims to make the implementation of cyber security, information security
and risk management straightforward and affordable for all. Vigilant Software is owned by
IT Governance Ltd: globally acknowledged as a leading authority on IT governance and
information security.

Drawing on years of experience developing and deploying risk management tools and
services, our product range eliminates the complexity of a cyber security implementation
project.

vsRisk, our flagship information security risk assessment tool, was introduced in April
2007 and has simplified and streamlined the information security risk assessment process
for hundreds of organisations globally.

Request a free vsRisk demo today

Find out how vsRisk can save 80% of your time and ensure accurate, consistent and
hassle-free risk assessments year after year.

Sign up now for a personal, one-to-one demonstration of this unique risk assessment
software.

To arrange a live, one-to-one demonstration, please click here >>

Or for more information, please call +44 (0)845 003 8228, email
servicecentre@vigilantsoftware.co.uk or visit our website www.vigilantsoftware.co.uk