ISO 27001 Clause 8.2

ISO 27001 Clause 8.2 Information Security Risk Assessment

This is another ISO 27001 clause that is often automatically covered if the organisation has already shown its information security management work meets the requirements of sections 6.1, 6.2, and especially 7.5, where the whole ISMS is clearly written down. The organisation must carry out information security risk assessments at planned times and when changes happen that require it – both of which need to be clearly documented.

What is ISO 27001 Clause 8.2?

The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).

The organisation shall retain documented information of the results of the information security risk assessments.

ISO 27001:2022 Clause 8.2 Information Security Risk Assessment

What is information security risk management?

Risk management is probably the trickiest part of setting up ISO 27001. However, it’s also the most important thing to do at the start of any information security project because it creates the foundation for how you’ll keep information safe in your organisation.

It involves finding, looking at, and reacting to things that could harm the privacy, accuracy, and availability of your organisation’s important information. The main goal of this is to deal with risks in a way that fits with how much risk your organisation is willing to take overall.

The aim isn’t to get rid of all dangers, but to figure out and stick to a level of risk that your organisation can accept.

Risk assessment (also called risk analysis) and risk treatment are the two main parts of risk management. Let’s look at them more closely.

Risk management is one of the most challenging things about putting ISO 27001 in place. At the same time, it’s also the most important first step in any information security project, as it sets the stage for information security in your organisation.

Risk management means finding, analysing, and responding to threats to your organisation’s important information – keeping it private, making sure it’s accurate, and ensuring it’s available when needed. The goal is to deal with risks in line with how much risk your organisation is generally willing to accept. Instead of trying to remove all risks, the aim is to decide on and maintain a level of risk that is acceptable for your organisation.

Information security risk assessment and why it’s important

A risk assessment helps you find security weaknesses and vulnerabilities. After you know what they are, you can put in place the right security measures to make them less harmful. How complex this is depends on things like the size of your organisation, how fast it’s growing, its resources, and the information it holds.

The results of the risk assessment become the basis of your organisation’s ISMS. This helps managers make better decisions about where to spend money, what tools to use, and how to put security measures in place.

Once you’ve done the risk assessment, your organisation needs to decide how to handle the risks based on the money and resources it has. This means carefully considering all the information security risks, how likely they are to happen, and how bad the impact could be.

How does regularly checking and watching your ISMS help you get ready for a risk assessment?

ISO 27001 says that your ISMS needs to be checked, updated, and made better regularly to make sure it’s working correctly and can adapt to changes. An internal audit is one way to check if your ISMS is working well.

Many tools aren’t flexible enough to keep up with changing rules, so it’s important to have a tool that lets you easily update your risk assessment process as standards change.

What does ISO 27001 require when doing a risk assessment?

According to ISO 27001 (section 6.1.2), you need to write down how you will do your risk assessment. This can be hard for organisations that start assessing risks without a plan.

You need clear steps and instructions to set your organisation up for success. To start, here’s what section 6.1.2 requires:

  • Explain how you will spot the threats that could harm the privacy, accuracy, and availability of your information.
  • Set up a way to identify who is responsible for each risk.
  • Define the rules for judging how bad the consequences could be and how likely the risk is.
  • Explain how you will calculate the level of risk.
  • Define what level of risk your organisation is willing to accept.

Basically, you need to figure out these five things to meet ISO 27001 rules. Use this as the base for your plan.

How ISO 27001 deals with risks

A risk treatment plan (RTP) is a very important part of setting up ISO 27001. It explains how your organisation will react to the threats you’ve found. Organisations can change the risk by using these options:

  • Putting in a control to make it less likely to happen.
  • Avoiding the risk by stopping the activity that causes it.
  • Getting cyber insurance and passing the risk on to another company.
  • Keeping the risk by accepting it if the cost of the potential damage is less than the cost of preventing it.

The seven steps to a good ISO 27001 risk assessment

A risk assessment process that follows the rules of ISO 27001 should have seven steps:

  1. Set up an ISO 27001 risk assessment framework. It’s important for your organisation to handle risk assessment in a consistent way. So, you need to create guidelines that explain the process for all parts of your organisation. You should decide what level of risk is acceptable across the organisation and whether you want to do a qualitative or quantitative risk assessment. A qualitative approach judges risks based on expert opinion and descriptions, while a quantitative approach uses numbers and statistics to measure risk levels and chances. A formal risk assessment method should cover several things:
    • The most important security rules for your organisation.
    • How you will measure the level of risk.
    • How much risk you are willing to take.
    • Your method for risk assessment (based on assets or risks).
  2. Create a list of your organisation’s possible risk scenarios. There are two main ways to do this. The first is based on scenarios. Here, your organisation focuses on situations that could be a threat, like a ransomware attack or a DDoS attack. People often find it easier to recognise risk situations this way, which can speed up risk identification. The second way is based on assets, focusing on risks related to your organisation’s important information. This way usually takes longer to identify risks.
  3. Identify risks. Now, you can start figuring out which potential problems might affect you. You can use a list of risk scenarios or add your own.
  4. Evaluate risk impact. Some risks are more serious than others, so you need to decide which ones to deal with first. That’s why it’s important to rank risks based on how likely they are to happen and how much damage they could cause.
  5. Create a Statement of Applicability. The Statement of Applicability (SoA) shows your organisation’s security setup. Based on the risk assessment results in ISO 27001, you need to list all the controls you have put in place, why you put them in place, and how you have done it. This document is very important because the auditor will use it as the main guide during the audit to check if you meet the ISO 27001 standards.
  6. Create a risk treatment plan. According to ISO 27001, you must assign risk owners for all risks. They are responsible for approving any plans to reduce risk and for accepting the level of risk that remains. Human error causes many risks for an organisation, and you can rarely get rid of them completely. Because of this, most risks will need to be changed. This involves putting in place controls described in ISO 27001 Annex A as part of your plan to lower risk.
  7. Review, monitor, and conduct an internal audit. To make sure you’ve considered changes in how your organisation works and the changing threat environment, you need to repeat the assessment process every year. Your risk assessment plan should include how you will lower risks, who is responsible, the budget, and the timeline. You should also use this chance to make your ISMS better. This could mean choosing a new way to handle risks or using a different control to deal with them.