ISO 27001 Clause 8.2 is all about keeping your company’s information safe. It asks you to do a risk assessment. This means you look at your business and find out what could go wrong with your data. The goal is to find risks so you can fix them.
What Is Information Security Risk Assessment?
A risk assessment is a process to find, look at, and understand risks. In simple terms, it’s about finding out what could harm your data and how bad that harm would be. The rule says you must do this process. You must also write down how you do it.
What is ISO 27001 Clause ISO 27001 Clause 8.2 Information Security Risk Assessment?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Security Risk Assessment”.
What is the ISO 27001 Clause 8.2 control objective?
The formal definition and control objective in the standard is: “The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organisation shall retain documented information of the results of the information security risk assessments.“
What is the purpose of ISO 27001 Clause 8.2?
The purpose of ISO 27001 Clause 8.2 is “ISO 27001 clause 8.2 focuses on executing the Information Security Risk Assessment. While clause 6.1.2 covers the planning stages, 8.2 is about putting that plan into action. The standard requires organisations to define, implement, and actively carry out a risk assessment process. Crucially, this process must generate and maintain documented evidence of the assessment, typically through a risk register.“
Is ISO 27001 Clause 8.2 Mandatory?
ISO 27001 Clause 8.2 (ISO 27001 Clause 8.2 Information Security Risk Assessment in the 2022 standard) is a mandatory clause in the main body of the standard.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
- Find the Risks: Look for things that could harm your information. This includes things like fires, hackers, or a lost laptop.
- Look at the Risks: Once you find a risk, you must see how likely it is and how much damage it could cause.
- Choose What to Do: Decide what to do about each risk. You can accept it, get rid of it, or find a way to make it less likely to happen.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- Want to see that you did a risk assessment.
- Check if your process is well-made and if you followed it.
- Look at your records to see that you wrote everything down.
