The basics of risk assessment

and treatment according to

ISO 27001

Presenter: Dejan Kosutic

Which are the basic steps in ISO 27001
risk assessment and treatment?

If you’re planning to start the risk

assessment…

… to succeed, you need to understand the

significance of risk management, and learn
what is acceptable according to the
standard

©2018 27001Academy www.advisera.com/27001academy 2

Risk management is the critical first
step in ISO 27001 implementation –
it determines everything that
happens afterward.

©2018 27001Academy www.advisera.com/27001academy 3

Agenda

• Why risk management?

• The process of risk management
• Elements of risk assessment
• Identification of assets
• Threats and vulnerabilities
• Impact and likelihood
• 4 options for risk treatment
• Biggest challenges with risk management

©2018 27001Academy www.advisera.com/27001academy 4

Why risk management?

Information security management (ISO 27001)

Risk
management Safeguards
(ISO 27005) (ISO 27002)

Measurement
(ISO 27004)

©2018 27001Academy www.advisera.com/27001academy 5

The process of risk management…

Your Text
Risk assessment methodology

Your Text
Mandatory
Risk assessment
procedures

Your
YourText
Text
AnalyzeRisk
and assess
treatment

©2018 27001Academy www.advisera.com/27001academy 6

…The process of risk management

Your Text
Statement of Applicability

Your Text
Mandatory
Risk treatment
procedures
plan

©2018 27001Academy www.advisera.com/27001academy 7

Elements of risk assessment

Risk
Risk identification Risk analysis
owner

Thre- Vulne- Like-

Asset
at rability
Impact
lihood

Risk = Impact x Likelihood

(or) Risk = Impact + Likelihood
©2018 27001Academy www.advisera.com/27001academy 8
Assets – What do we protect?

• Examples:
• Hardware
• Software
• Information (electronic, paper etc.)
• Infrastructure
• People!
• etc.
• Identification of asset owners
©2018 27001Academy www.advisera.com/27001academy 9
Threats – What can happen?

Examples:
• Fire
• Earthquake
• Computer viruses
• Bomb threat
• Equipment malfunction
• Key people leaving the company

©2018 27001Academy www.advisera.com/27001academy 10

Vulnerabilities – Why can that
happen?

Examples:
• Lack of fire-extinguishing system
• Lack of business continuity plans
• Lack of anti-virus software
• Lack of incident response procedures
• Obsolete equipment
• Lack of replacement

©2018 27001Academy www.advisera.com/27001academy 11

Impact and likelihood

• Example of assessment scale:

• High
• Medium
• Low
• Or:
• 1 to 5
• 1 to 10

©2018 27001Academy www.advisera.com/27001academy 12

Example of Risk assessment table

Asset Owner Threat Vulnerability Impact Likelihoo Risk

(1-5) d (1-5) (=I+L)
Server Admin. Electricity No UPS 4 2 6
outage
Fire No fire 5 3 8
extinguisher
Contract Managing Access by The contract is 4 4 8
director unauthorized left on a table
persons
Fire No fire 4 3 7
protection
System Departm Accident No-one else 5 3 8
administra ent head knows the
tor passwords

©2018 27001Academy www.advisera.com/27001academy 13

4 options for risk treatment

Apply
appropriate Accept risks
controls

Avoid risks Transfer risks

©2018 27001Academy www.advisera.com/27001academy 14

Biggest challenges with risk
management

• Asset valuation and impact analysis

• Gathering actual facts from the various
departments spread globally among people
who may not know or care about your project
• Link a risk to the ISO 27001 controls of annex A
• Choice of a methodology that will give a result
close to reality
• Consolidate all the data and put forth as a
dashboard that can be made presentable to the
management
©2018 27001Academy www.advisera.com/27001academy 15
Conclusion

Don’t skip the risk assessment and

treatment – without this kind of
analysis your information security
will be full of holes!

©2018 27001Academy www.advisera.com/27001academy 16

Q&A

Dejan Kosutic
 Thank you!
www.advisera.com/27001academy/webinars