Please enable JavaScript to view the comments powered by Disqus. 7 steps to a successful ISO 27001 risk assessment




7 steps to a successful ISO 27001 risk assessment

Anita Adiraj

Anita Adiraj

Last updated 08/06/2021

7 steps to a successful ISO 27001 risk assessment

There's been a lot of discussion about models and consistency (ISO 27001 and GDPR to give some examples). We've been discussing these guidelines quite a bit lately. What we haven't done a numerous deal of is the discussion about what individuals need to do to plan for these principles while guaranteeing you're consistent with the commitments you as of now have. 

Probably the most ideal approach to get ready is to direct a Risk Assessment for your business. We sat down with Darrin Maggy, CISSP our Practices Manager to audit the seven stages of a Risk Assessment. 

While we've given a great effort to place these means into an organized list, a large number of them are interconnected, and when you experience a Risk Assessment, you'll be bouncing back and forth between them as new data becomes visible. 


Stage 1: Identify Your Information Assets 

A data resource is any data or resource that is important to your business and adds to its capacity to work and its benefit. Normally you have to search for things like paper or electronic records, applications, information bases, framework, even key individuals. That is a data resource. 

"By and large what we do to begin the benefit distinguishing proof cycle is issue a survey," Maggy said. "It's brief, and it's intended to provoke individuals through the way toward seeing precisely what we're searching for and how to discover it." 


Stage 2: Identify the Asset Owners 

After you've distinguished your data resources, Security7 figures out who inside the business is liable for those benefits. Maggy said the beneficiaries of the survey commonly exist at the layer straightforwardly underneath the CEO on the organization diagram. 

"Fund, Operations, HR, Sales, and so forth., these people are regularly mindful of which corporate resources they're answerable for and which resources are generally basic to the business," he said. 

Maggy said it's imperative to distinguish resource proprietors as they are the best wellspring of information concerning the possible weaknesses and dangers to the benefits and they can likewise help evaluate the probability and effect of the recognized dangers were to appear. 


Stage 3: Identify Risks to Confidentiality, Integrity, and Availability of the Information Assets 

"Classification, Integrity, and Availability of data are the establishment of data security," Maggy said. "How about we utilize a similarity to help clarify this."

Maggy said envision you're working with your bank. You're going to make a store, sign in to your record to ensure the store has presented for you, and afterward pull back the cash. 

You expect secrecy when you store your cash. That exchange is among you and your bank. "It's no one's business that you've recently led that exchange," Maggy said. "The bank shouldn't publicize the way that you just kept $50 or $5000 into your record." 

Honesty becomes possibly the most important factor when you sign in to your record just to discover the exchange hasn't been posted. "Let's assume you saved $50 and just observe $10 or nothing by any stretch of the imagination," Maggy said. "Something's happened concerning the respectability of that exchange, the honesty of the data." 

Accessibility comes about when you go to an ATM and attempt to pull back that $50 and you can't do as such, presently you have an accessibility issue." 

Maggy said each of the three of these things applies to information also any break of Confidentiality, Integrity, and Availability is viewed as a security episode. "We should apply these ideas to the business. 

"On the off chance that someone in deals needs to get to and they're not able to do as such, that is an accessibility issue. If someone from HR goes into and they adjust a significant record, rolling out considerable improvements to the record, and eventually those progressions change how a customer is taken care of in the association at that point you've quite recently had a break of honesty," he said. 

"Generally speaking, classification is distinguishing the cycles, the advantages, the data, the things in the association that should be kept hidden," Maggy said. "Regardless of whether it's existential information that you don't need your rivals to get some answers concerning, for example, data identified with M&A movement or new item advancement, budgetary data, or other touchy information. That is secrecy." 


Stage 4: Identify the Risk Owners 

Recollect when we said you may bob around between the means? Indeed, here's a case of that. 

"Oftentimes we'll verify that the benefited proprietor winds up being the hazard proprietor also," Maggy said. 

Maggy said hazard proprietors are those with the responsibility and position to oversee change. "The advantage proprietor is the individual answerable for the benefit inside the organization. A hazard proprietor is an individual who is both keen on settling a hazard and is situated sufficiently high in the association to take care of business." 

Be that as it may, the hazard proprietor isn't generally the advantage proprietor. "it must be somebody who is firmly identified with cycles and tasks where the dangers have been recognized – it must be somebody who will feel the "torment" if the dangers emerge – that is, somebody who is a lot of keen on keeping such dangers from occurring. Nonetheless, this individual must be additionally situated sufficiently high so their voice would be heard among the chiefs because without getting the assets this undertaking would be unimaginable." 


Stage 5: Analyze the Identified Risks and Assess the Likelihood and Potential Impact if the Risk Were to Materialize 

Maggy said it's critical to consistently give Risk Assessment preparing straightforwardly to the individuals who will be engaged with the Risk Assessment measure. 

"We do this to update everybody engaged with the cycle," he said. "It encourages them to comprehend the technique, the wording, and the hazard recognizable proof and treatment measure so we can more readily guarantee a high caliber, refined yield. 


Stage 6: Determine the Levels of Risk 

Security Networks has amassed an assortment of Risk Catalogs to help the members on their excursion. The lists help distinguish explicit dangers and weaknesses and permit them to walk associations through the probability and outcome situations. 

"We give the possible effect and probability of these dangers happening a mathematical incentive in our hazard grid." 

All out of these qualities eventually figure out which dangers will require treatment. 

"At that point, you need to conclude how you will decrease those dangers to a level that the association is happy to acknowledge or is OK with, no more no less," he said. 


Stage 7: Prioritize the Analyzed Risks for Treatment 

The essential hazard treatment alternatives an association needs to consider are chance alleviation, chance exchange, chance evasion, and hazard acknowledgment. 

"Possibly you're going to set up a security control from Annex A or SP 800-153 or another control inventory. That is hazard relief," Maggy said. 

"Hazard move is the point at which you move the hazard through redistributing to an agreement provider or safeguarding a specific resource." 

"Hazard evasion is the point at which you end the movement that is related to the hazard," he said. 

"Hazard acknowledgment is the place an association says 'you recognize what?' The treatment would cost more than the potential effect was the hazard to emerge. We acknowledge this hazard. It's been approved by our leader suite,'" he said. "At that point, they record the hazard acknowledgment reminder inside their data security the board framework"

Topic Related Post

ISO 27701 vs ISO 27001: What's the Difference?
Cross-Industry ISO Auditing: Challenges and Insights
Getting ISO Lead Auditor Certified: It's Not as Scary as You Think

About Author

She is the most experienced person in our writer?s forum. Her write-ups about IT Service Management have been the favorite ones of our readers in the past years. Amruta has worked closely with a lot of big farms and showed them how to utilize the ITIL framework to an organization?s supply chain management fruitfully. Her work areas mainly include ITIL Consulting & Implementation, GAP Analysis, ISO Audits, Process/Service Improvement Using Lean Six Sigma, Process Definition, Implementation & Compliance, Process Hygiene (ISO 20000), Quality Assurance & Program Governance.



* Your personal details are for internal use only and will remain confidential.


Upcoming Events


Every Weekend


Every Weekend


Every Weekend


Every Weekend

Topic Related

Take Simple Quiz and Get Discount Upto 50%

Popular Certifications

AWS Solution Architect Associates
SIAM Professional Training & Certification
ITIL® 4 Foundation Certification
DevOps Foundation By DOI
Certified DevOps Developer
PRINCE2® Foundation & Practitioner
ITIL® 4 Managing Professional Course
Certified DevOps Engineer
DevOps Practitioner + Agile Scrum Master
ISO Lead Auditor Combo Certification
Microsoft Azure Administrator AZ-104
Digital Transformation Officer
Certified Full Stack Data Scientist
Microsoft Azure DevOps Engineer
OCM Foundation
SRE Practitioner
Professional Scrum Product Owner II (PSPO II) Certification
Certified Associate in Project Management (CAPM)
Practitioner Certified In Business Analysis
Certified Blockchain Professional Program
Certified Cyber Security Foundation
Post Graduate Program in Project Management
Certified Data Science Professional
Certified PMO Professional
AWS Certified Cloud Practitioner (CLF-C01)
Certified Scrum Product Owners
Professional Scrum Product Owner-II
Professional Scrum Product Owner (PSPO) Training-I
GSDC Agile Scrum Master
ITIL® 4 Certification Scheme
Agile Project Management
FinOps Certified Practitioner certification
ITSM Foundation: ISO/IEC 20000:2011
Certified Design Thinking Professional
Certified Data Science Professional Certification
Generative AI Certification
Generative AI in Software Development
Generative AI in Business
Generative AI in Cybersecurity
Generative AI for HR and L&D
Generative AI in Finance and Banking
Generative AI in Marketing
Generative AI in Retail
Generative AI in Risk & Compliance
ISO 27001 Certification & Training in the Philippines
Generative AI in Project Management
Prompt Engineering Certification
SRE Certification Course
Devsecops Practitioner Certification
AIOPS Foundation Certification
ISO 9001:2015 Lead Auditor Training and Certification
ITIL4 Specialist Monitor Support and Fulfil Certification
SRE Foundation and Practitioner Combo
Generative AI webinar
Leadership Excellence Webinar
Certificate Of Global Leadership Excellence
SRE Webinar
ISO 27701 Lead Auditor Certification