ISO 27001 Clause 6.1: Actions To Address Risk And Opportunity

ISO 27001 Clause 6.1.1: General

This clause requires the organisation to plan a course of action to tackle the risk and opportunities discussed in clause 4.1 (the context of the organisation) and clause 4.2 (the needs and expectations of interested parties) to achieve the following aims:

• The ISMS can achieve its intended outcomes;
• The chance of undesirable events affecting the business is reduced;
• The ISMS continually improves.

The organisation must plan an action to identify and treat each of these risks and opportunities identified in clauses 4.1 and 4.2, integrate these actions in the ISMS, and evaluate the results over time to ensure continual improvement.

ISO 27001 Clause 6.1.2: Information security risk assessment

Risk assessment is done by determining threats and vulnerabilities in the organisation and assigning a level of impact to each risk. The organisation must come up with a process to assess information security risks and apply that process in a way that establishes criteria for the assessment.

These criteria broadly include the overall risk acceptance criteria and the specific information security risk assessment. Risk assessment is the most complex as well as the most important part of the standard, as it provides a foundation for the information security policy of the organisation. The risk assessment process must be conducted at planned intervals to produce consistent, valid and comparable results.

When such a process is approved by the management, the process should be applied to identify threats and associated vulnerabilities that can lead to loss of confidentiality, integrity or availability of the information that needs to be secured in the context of the ISMS.

The organisation must identify risk owners related to these risks. Risk owners are the individuals or authorities appointed by the management to manage a particular risk. These persons are responsible for managing that risk and have the authority to address it.

Analysis of the identified risks is the next step in the assessment. This analysis attempts to determine the potential consequences of the identified risks if they materialise. For example, risk can impact the financial position or the reputation of the company. This assessment can be quantitative and/or qualitative depending upon the type of risks. The organisation must assess the realistic possibility of the occurrence of these risks (probability). For example, a data leak can occur regularly, but a natural calamity has a low probability of happening.

A risk matrix mapping probability against impact is one way of assigning a level of importance to each potential risk. Risks that are both unlikely and have a negligible impact are low priority, while risks that are both probable and have a severe impact are categorised as the highest priority.

These risks must be scaled to different levels according to their probability and must be ranked according to the level of the risk determined by the organisation as per the organisational impact.

After the identification and assessment of the different risks, the results must be compared with the criteria defined earlier by the organisation. The organisation should then prioritise these risks for risk treatment depending upon the level assigned to the risk and urgency for treatment. There may be several high-rated risks that the organisation must prioritise and decide the order in which these risks should be treated.

The organisation must keep all the information regarding the information security risk assessment process and all the steps the company has taken during the process in a documented form.

ISO 27001 Clause 6.1.3: Information security risk treatment

Risk assessment is carried out to determine threats and vulnerabilities in information security and to find the best possible treatment for the identified risks. This assessment guides the organisation to allocate optimum resources for the treatment. A strategy must be constructed for each risk assessment report to enable an organisation to deal with each risk at an affordable cost.

These treatment processes need to be applied by implementing at least the controls provided in Annexure A of the ISO standard. The organisation must decide which controls are needed to properly implement these treatment options and can design their own set of controls or can adopt from any other source as required by the treatment.

The third step is to compare the controls implemented for the treatment and the controls provided in Annexure A of the ISO standard. Annex A comes with a comprehensive list of controls, but in general, all the controls do not need to be implemented, only those required by the treatment. This step determines if any necessary control is overlooked or omitted in the process. The controls in Annex A are not exhaustive; any control or control objective required by the treatment can be added.

The next step requires a statement of applicability. The statement of applicability must contain all the controls, whether they are implemented or not, with a justification for inclusion or exclusion from the process. The controls for the statement of applicability rely mainly on Annex A, but if there is a custom control implemented in the process, it should be included in the statement of applicability.

With the information gathered from the above steps, the organisation must formulate the most suitable information security risk treatment plan. Successful formulation of the plan can increase the chances of success of the risk treatment. The risk owner and an acceptance of residual information security risks must approve the newly formulated plan.