How to do a risk assessment for ISO 27001

One of the key elements of ISO 27001 certification involves doing a comprehensive risk assessment. In order to combat the risks to your organization’s assets, you need to identify the assets, consider the threats that could compromise those assets, and estimate the damage that the realization of any threat could pose. Losing trade secrets, for example, could pose serious threats to your company's financial well being. Some estimates claim that US companies lose $100 billion annually due to the loss of proprietary information. This link will take you to one.

One of the first steps in doing a risk assessment involves identifying the various entities that pose threats to your company's well being -- hackers, disgruntled employees, careless employees, competitors? Not all threats fall into the category of "bad guys". You might also have to consider natural disasters such as power outages, data center flooding, fires, and other events that damage cabling or make your offices uninhabitable.

You then need to identify the assets that you are trying to protect with special attention to those that are most critical. My boss likes to call the most critical information assets our "secret sauce". What gives your company its edge and would be most harmful if compromised? What critical components in your network infrastructure would halt production if they failed? And don't restrict your thinking to computers and online data. Make sure you consider all sorts of assets from automated systems to paperwork stored at off-site storage facilities. Even know-how can be considered a critical business asset.

You also need to consider the vulnerabilities inherent in your systems, processes, business locations, etc. What are the "weak links" in your systems and processes? In what ways might your production lines be broken? Maybe you have old equipment that's going to fail just when you most need it. Maybe you have no redundancy for your web services. Maybe a legacy system has a password that everybody knows, including several people you fired last month. Maybe a critical service is using the default admin password for some particular application it relies on. Make sure your ISO 27001 implementation team considers all the weaknesses they can identify and creates records that you keep in a very safe place! After all, the last thing you want is for anyone outside your small group to be able to access a complete list of all your vulnerabilities.

If you've got a good implementation team with healthy connections to the various parts of your organization, you will probably have a leg up on identifying your most critical assets across the organization. It might be your source code, your engineering drawings, your patent applications, your customer lists, your contracts, your admin passwords, your data centers, your UPS devices, your firewalls, your payroll records ... Start with those that are the most critical or go from site to site or office to office as needed. The end result could be a more comprehensive view of where and how your company is vulnerable than you ever imagined. In my experience, the number of risks not previously considered that staffs uncover is quite significant.

Once you've compiled a fairly comprehensive list of assets and the ways in which they could be compromised, you'll be ready to assign numeric values to those risks. The calculated risk values will provide a basis for determining how much time and money you invest in protecting against the threats that you have identified.

One basic formula that organizations use to compute risk is simply likelihood times impact. Likelihood (probability) is a measure of how likely a loss is to happen. Impact (severity) is how much damage will be done to the organization if the loss occurs. Each of these measures will require a scale; 1 to 10 is generally used. It's a good idea to also tie some meaningful description to each level in your risk rating. Doing so makes it more likely that you'll get the same kind of ratings from different people. For example, 10 might indicate that the likelihood is practically guaranteed while 1 might mean that it's nearly impossible. Similarly, a 1 to 10 on your impact measures might have 10 meaning that the loss would put your company at significant risk of folding while a 1 would mean the loss would be insignificant. The textual descriptions will help those who have to assign numbers to your risks think through the process more clearly. It's also a good idea to have several people involved in the risk evaluation process to ensure that the numbers reflect several points of view and are well thought through. It's extremely difficult to be scientific about assigning the numbers, but your staff will get better with practice and can compare the ratings for various assets to help ensure that they make sense.

Often, a third factor is also used in the risk calculation. In failure mode effects analysis (FMEA), the third factor is a measure of the effectiveness of current controls. You then have the likelihood that a threat is acted on (independent of your precautions against it) times the anticipated damage (impact) times the effectiveness of your efforts in mitigating the risks (controls). With three factors, your RPNs can range from 1 to 1,000. This will give you a better "spread" and an easier time identifying the more prominent risks.

The word "controls" in ISO 27001 speak refers to the policies and actions you take to address risks. For example, you might require that all passwords be changed every few months to lessen the likelihood that accounts will be compromised by hackers. And you might implement measures to make sure that the passwords are changed at the planned intervals. This "control" would reduce the likelihood that passwords would be successfully guessed. You might also have a control that locks accounts after some number of wrong passwords are tried. That would lessen the risk of compromise even further.

The resultant calculation of likelihood times impact or likelihood times impact times control effectiveness is called a risk priority number or "RPN".

When collecting information about your assets and calculating RPNs, make sure that you also record who provided the information, who is responsible for the assets and when the information was gathered so that you can go back later if you have questions and can recognize when the information is too old to be reliable.

You can download a nice example of a 2-factor risk spreadsheet or a 3-factor risk spreadsheet from In fact, you can get a free toolkit to help you get started without investing a lot of up-front funds from them using here.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10