A Recipe for Iterative Risk Management
ISO/IEC 27001 specifies that the controls implemented within the scope, boundaries and context of the ISMS need to be risk based. The application of an information security risk management process can satisfy this requirement. There are many approaches by which the process can be successfully implemented in an organization. The organization should use whatever approach best suits their circumstances for each specific application of the process.
The information security risk management process can be iterative for risk assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can increase depth and detail of the assessment at each iteration. The iterative approach provides a good balance between minimizing the time and effort spent in identifying controls, while still ensuring that high risks are appropriately assessed.
This is a recipe for a non-methodology specific iterative risk management process for information security flavoured risks using internationally recognised standards and guidelines as ingredients. It may apply, using an integrated approach, to managing risks of other flavours, including enterprise risk, and for conformance with other risk-based standards such as ISO 9001:2015.
ISO/IEC 27001:2013 ISMS requirements. An International Standard providing requirements for establishing, implementing, maintaining and continually improving an ISMS that preserves information security requirements (including availability, integrity, confidentiality and non-repudiation) by applying a risk management process. Aligned with BS ISO 31000:2009, referenced at Clause 4.1 Understanding the organisation and its context and at Clause 6.1 Actions to Address Risks and Opportunities. 1 licenced copy.
ISO/IEC 27005:2011 Information security risk management guidelines. An International Standard providing guidelines for non-method specific information security risk management in an organisation, supporting in particular the requirements of an ISMS according to ISO/IEC 27001 and conforming with BS ISO 31000:2009 and the source of this recipe. 1 licenced copy.
BS ISO 31000: 2009 Risk management - Principles and guidelines. An International Standard that establishes a number of principles that need to be satisfied to make risk management effective. Applicable to all kinds of organisational risks and non-method specific. 1 licenced copy.
ISO/IEC 27005:2011 refers at Clause 6 to the high-level general overview of the risk management process specified in ISO 31000:2009:
1. The context is established first. Then a risk assessment is conducted. If this provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and risk treatment follows.
2. If the information is insufficient, another iteration of the risk assessment with revised context (e.g. risk evaluation criteria, risk acceptance criteria or impact criteria) is conducted, possibly on limited parts of the total scope (Risk Decision Point 1).
3. The effectiveness of the risk treatment depends on the results of the risk assessment.
4. Note that risk treatment involves a cyclical process of:
- assessing a risk treatment;
- deciding whether residual risk levels are acceptable;
- generating a new risk treatment if risk levels are not acceptable; and
- assessing the effectiveness of that treatment.
5. It is possible that the risk treatment will not immediately lead to an acceptable level of residual risk. In this situation, another iteration of the risk assessment with changed context parameters (e.g. risk assessment, risk acceptance or impact criteria), if necessary, may be required, followed by further risk treatment (Risk Decision Point 2).
6. The risk acceptance activity has to ensure residual risks are explicitly accepted by the managers of the organisation. This is especially important in a situation where the implementation of controls is omitted or postponed, e.g. due to cost.
7. During the whole information security risk management process it is important that risks and their treatment are communicated to the appropriate managers and operational staff. Even before the treatment of the risks, information about identified risks can be very valuable to manage incidents and may help to reduce potential damage. Awareness by managers and staff of the risks, the nature of the controls in place to mitigate the risks and the areas of concern to the organisation assist in dealing with incidents and unexpected events in the most effective manner.
8. The detailed results of every activity of the information security risk management process and from the two risk decision points should be documented, so serve with sufficient auditable documented information.
Notably, Clause 11 Risk Communication and Consultation underpins all of the other activities and, according to ISO/IEC 27005:2011, ‘should be performed continually’.
This article has been authored by James Walker at Visviva for use on the NQA Certification Ltd website. Visviva is listed as a trusted and valued consultancy organization on NQA’s Associate Consultant Register. To find out more please click here.