ISO 27001 Clause 6.1.2 is about how a company assesses its information security risks. This is a very important part of the standard because the whole security system is built on what you find here. The goal is to make sure you have a plan to find, look at, and decide what to do about risks.
What is ISO 27001 Clause 6.1.2 Information Security Risk Assessment?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Security Risk Assessment”.
What is the ISO 27001 Clause 6.1.2 control objective?
The formal definition and control objective in the standard is: “The organization shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
the risk acceptance criteria; and
criteria for performing information security risk assessments
b) ensures that repeated information security risk assessments produce consistent, valid and
comparable results
c) identifies the information security risks:
apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
identify the risk owners
d) analyses the information security risks:
assess the potential consequences that would result if the risks identified were to materialise;
assess the realistic likelihood of the occurrence of the risks identified; and
determine the levels of risk
e) evaluates the information security risks:
compare the results of risk analysis with the risk criteria established ; and
prioritise the analysed risks for risk treatment.
The organisation shall retain documented information about the information security risk assessment process.”
What is the purpose of ISO 27001 Clause 6.1.2?
The purpose of ISO 27001 Clause 8.1 is “To establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.“
Is ISO 27001 Clause 6.1.2 Mandatory?
ISO 27001 Clause 6.1.2 (Information Security Risk Assessment in the 2022 standard) is a mandatory clause in the main body of the standard.
What is Risk Assessment?
Risk assessment means finding problems that could harm your data. It’s about looking for what could go wrong. You have to make a list of your important data and systems. Then, you look for threats and weaknesses. A threat is something that could happen, like a fire. A weakness is a problem that lets a threat happen, like not having a fire extinguisher.
You have to decide how likely a problem is to happen and how bad it would be. This helps you figure out which problems are most important to fix.
Key Parts of the Process
The ISO 27001 standard says you must have a clear plan for your risk assessment. Here are the main things you need to do:
- Set the Rules: You need to decide what level of risk is okay for your company. This helps you know when a risk is too big and needs to be fixed.
- Find the Risks: You must look for all the possible risks to your data.
- Decide Who Is in Charge: For each risk, you need to name a person who will be responsible for it.
- Look at the Risks: You need to think about how bad the results would be if a risk happened. You also need to figure out how likely it is to happen.
- Figure out the Risk Level: Once you have the information, you can decide how big each risk is.
After you have done these steps, you will have a list of all your risks.
What an Auditor Will Check
An auditor will check your risk assessment plan. They want to see that you have a clear plan and that you follow it every time. They will also look at your risk list. They want to see that you have looked at all parts of your company and that your risk list makes sense.
You can learn more about Information Security Risk Assessment and ISO 27001 by watching this video: ISO 27001 Risk Assessment Explained.
