Get a quote
Home Resources Videos

ISO 27001:2013 - Risk Assessments Explained

04 August 2020
Watch a pre-recorded presentation designed to uncover some common myths regarding Risk Assessments as required by ISO 27001:2013.


Identifying the risks that can affect the confidentiality, integrity and availability of information is one of the most time-consuming parts of the risk assessment process.

Find out how the implementation of a robust risk assessment regime can help to implement an effective Information Security Management System. 
 
Your presenter is Barri-Jon Graham discusses:
  • Information Security Risk Management Methodology

  • Identification of Information Security Risks

  • Performing Information Security Risk Assessments

  • Treatment of Information Security Risks

  • Reporting of Information Security Risks

For further information on ISO 27001 please click here
For further information on ISO 27701 please click here.
You may also find some helpful blog articles here

Register your place on one of our popular virtual Information Security Training courses here.

-------------------------------------------------------------------------------------------------------------------------

VIDEO TRANSCRIPT

ISO 27001 – Risk Assessment Explained

00:05 - Good afternoon everybody. Welcome to NQA for this webinar on risk assessments, I’m just going to give it another minute or so because I can see a couple of people trying to get in and then we'll start.

01:19 - So, hello again everybody welcome to the webinar and my name is Barri Jon Graham, I’m one of NQA's ISO 27001 Information Security assessors. I can see from the list of attendees there's a few people out there met all my travels and so hello to you and if I haven't met you so far, I hope I have the pleasure of meeting you in the near future.

01:41 - Today I’m going to be looking at risk assessments process and attempting to uncover some other common myths which surround the risk as required and outlined in the standard.

01:50 - Although this is very much for 27001 specific process, for this webinar the risk process we examine during the webinar should hopefully be applicable to other management systems too.

02:03 - It should be part of the way you think no matter what you do or which what sort of background you have if you're looking at risks then you know the processes we outlined here are going to be applicable to you. So excuse the terminology because during as we go through it's very much focused on 27001 but and we do delve into other areas where it would be appropriate for you.

02:25 - As you've already received an email from the brilliant marketing team, I’m sure you've already seen the areas which we aim to cover, but just as a refresher we will be looking at information security risk management methodology, identification of information security risks, performing risk assessments, treatment of information security risks, the reporting of risk, and then we'll wrap up the conclusion.  

02:52 - Additionally, you can also if you haven't received yet download for free the ISO 27001 implementation guide from the NQA webpage (https://www.nqa.com/en-gb/certification/standards/iso-27001/implementation) and this is an excellent handrail for how to effectively implement an ISMS it's definitely a worthy reference document and one that we're looking to add to in the near future within Annex A specific reference point.

03:12 - I am happy to answer any questions although I’m going to be leaving those till the end,  there will be ample time at the end of the webinar to pick up the questions you may have which you thought about from the main board of the webinar. So don't worry if we skip through something and it's something you want to come back to we'll do that during the questions at the end.

03:30 - Just to remind you now that everybody will receive a full copy of this recording of the presentation along with the slide deck once the webinar is complete.

Our Purpose

03:44 - NQA has a large global client base and we've been serving these for over 30 years and rest assured that you're in good hands. We are top performance in the UK, the Americas and across the globe across various management systems.

Outline

04:03 - So here is an outline of what we're going to cover during this webinar we'll start by looking at information security risk management methodology, and these are the rules for conducting a good risk assessment the rules within which your business will obviously differ across industries of industry and sectors the sector however an approximate guide is given.

04:25 - We're going to then look at identification of information security risks, and these are what kind of things or threats can be classed as threats to your organization and assessments. Then we'll look at performing a risk assessment and things to consider when performing this activity.

04:43 - Then we'll look at treatment of your identified risks what to do to control these risks and there are four options available that we will be looking at, however, the treatment of risks is something that's pertinent to everybody so we'll be delving into that one a little bit more than the others.

04:59 - And then finally we'll be looking at reporting how to report on these risks to avoid things being overlooked or deemed too complicated to control.

OUTLINE - ISO 27001:2013

05:11 - So, ISO 27001 formally specifies an information security management system this is a suite of activities concerning the management of information risks or called information security risks in the standard the ISMS, is an overarching management framework through which the organization identifies analyzes and addresses its information risks.

05:34 - The ISMS ensures that secure the security arrangements are fine-tuned to keep pace with the changes to the security threats vulnerabilities and business impacts this is an important aspect in such a dynamic field and the key advantage of ISO 27001's flexible risk driven approach.

05:54 - The standard covers all kinds of organizations so commercial enterprises, government agencies, not profits not for profits, and that includes all sizes from micro businesses to huge multinationals and all industries or markets this is clearly a very wide brief. 

06:14 - 27001 is an information security standard that helps companies come into compliance with international best practice models the standard covers three key components of data security its people, processes, and technology. When steps are taken to safeguard data within these three components businesses are better equipped to protect information, mitigate risks, and rectify procedures that are deemed ineffective.

06:42 - As such a growing consensus has emerged in the corporate sector that deems 27001 to be a gold standard in prep best practice schemes by putting the standard into effect, an organization activates an information security management system that works within the business culture of the company in question the standard is regularly updated and enhanced and these ongoing improvements allow the ISMS to stay abreast of changes, both within and outside of the company all while spotting and eliminating new risks.

07:12 - A good example of that is the recent technical extension to cover data privacy in the aftermath of GDPR it's designed to support confidentiality integrity and availability of your information and help you maintain legal compliance, it helps you to protect your data from cybercrimes from misuse, fire theft, and other threats having a certified ISMS in place will give you your customers more confidence as well as improve relationships with other stakeholders and help you submit to get risk.

07:53 - Common example of confidentiality be an online transaction conducted all the secure methods such as the use of encryption whereby information is protected if you look at the top of your internet tools bar you should see https this is an example of that. As for integrity, an example here would be the trustworthiness of customer financial account information, think about bank accounts and personal information contained within those these are held by a bank for conducting daily operational transactions.

08:26 - And finally, availability could pertain to a bank's customer-facing web service that hosts the online banking portal for its customers can access at any time of the day.

Definitions

08:39 - Look at some definitions which are going to come during this webinar and around the risk process in general, according to ISO 27000 which is information technology security techniques, the ISMS overview and vocabulary things you can see on screen there are part and parcel of the implementation of this standard.
 
09:04 - What we're going to look at during this webinar is this process here the assessment treatment acceptance.

Background

09:13 - The systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective management system.

This approach should be suitable for the organization's environment and in particular should be aligned with overall enterprise risk management security efforts should address risks in an effective and timely manner where and when they are needed information security risk management should be an integral part of all information security management activities and should be applied both to the implementation and ongoing operation of an ISMS.
 
09:54 - Information security risk management should be a continual process; process should establish the external and internal contacts assess the risks and treat the risk using a treatment plan to implement the recommendations and decisions risk management analysis analyzes what can happen and what the possible consequences can be before deciding what should be done and when to reduce risk to an acceptance level.
 
10:25 - On screen you'll see the major contributory considerations we will examine consequence and likelihood in more detail to try and illustrate how this applies to your business, some more factors are listed on the screen here you'll notice the recurring theme of monitor and review risk management is not a one-time thing quite simply once you've been through the process.
 
10:58 - Once you should find ways of controlling your risk better or eliminating risk entirely which forces a refresh and go back to the start where you first identified risks to see if there is still a risk as a result of your control.

Risk Methodology

WHAT IS CONTEXT AND RISK MANAGEMENT APPROACH?

11:14 - So, let's dive into this, this is your first step on avoid through risk management you need to define rules on how you were going to perform the risk management process, because you want your whole organization to do it in the same way.
 
11:29 - One of the biggest problems with risk assessment happens if different parts of an organization perform risk assessment in a different way.
 
11:39 - So, context this is the external internal context for information security risk management which should be established, this involves setting the basic criteria necessary for information security risk management to occur.
 
11:52 - It's essential to determine the purpose of the information security risk management as this affects the overall process and the context establishment in particular depending on the scope and objectives of the risk management, different approaches can be applied the approach can also be different for each iteration an appropriate risk management approach should be selected or developed that addresses basic criteria such as risk evaluation, criteria impact, criteria and risk acceptance credit.
 
12:30 - Additionally, an organization should assess whether necessary resources are available to perform a risk assessment and establish a risk treatment plan define and implement policies and procedures which include the implementation of selected controls monitor those controls and monitor the information security risk management process it can be quite resource intensive.

WHAT IS RISK EVALUATION CRITERIA?

12:56 - So, what is risk evaluation criteria? This risk evaluation criteria should be developed for evaluation of an organization's security risk and consider some of the following things the strategic value of the business information process criticality of the information assets involved operational and business importance of availability confidentiality and integrity.
 
13:24 - Stakeholders’ expectations and perceptions and negative consequences for goodwill and reputation. Additionally, risk evaluation criteria can be used to specify priorities for risk treatment.

WHAT IS IMPACT CRITERIA?
 
13:42 - So, what is impact criteria? Impact criteria should be developed and specified in terms of the degree of damage or costs to an organization which are caused by an information security event
 
13:55 - You should consider the following the level of classification of the impacted information asset breaches of information security so for example the loss of confidentiality integrity and availability any impaired operational process whether this is internal or via a third party.
 
14:17 -  Any loss of business and financial value the disruption of plans are deadlines and the damage to reputation.

WHAT IS ACCEPTANCE CRITERIA?
 
14:30 - This is a commonly asked question what is acceptance criteria?
 
14:36 - Risk acceptance criteria should be developed and specified and committed to policy risk acceptance criteria often depend on the organization's other policies goals objectives and the interests of stakeholders an organization should define its own scales for levels of risk acceptance.
 
14:57 - The following should be considered when you're doing this risk acceptance criteria can include multiple thresholds which have a desired target level of risk but provision for senior management to keep risks above this level under defined circumstances.
 
15:14 - Risk acceptance criteria can be expressed as a ratio of estimated profit or other business benefit to the estimated risk different risk acceptance criteria can apply to different classes of risk criteria can include requirements for future additional treatment.
 
15:34 So, for example if a risk can be accepted if there is a rule approval and commitment to take action to reduce it to an acceptable level within a future defined time period. Risk acceptance criteria can differ according to how long the risk is expected to exist for.
 
15:56 - So again, for example the risk can be associated with a temporary or short-term activity or a project which has a finite timeline risk acceptance criteria should be set up considering the following business criteria operations undertaken any technology in place.
 
16:14 - Financial considerations and social and humanitarian factors they're just a few things collectively these are the rules which govern how you intend to identify risk who you assign risk ownership to how the risks affect confidentiality integrity and availability of the information and the method of calculating the estimated damage in each scenario and the likelihood of it occurring.

IDENTIFY RISKS
 
16:42 - The purpose of risk identification is to determine what can happen to cause a potential loss and to gain insight into how where and why the loss can happen.
 
16:53 - Risk identification should include risks whether or not their source is under the control of the organization even though the risk source or cause is perhaps not evident identifying risks that can affect the confidentiality integrity and availability of information is perhaps the most time-consuming part of the whole risk assessment process if you follow an asset-based approach this can help developing a list of information assets is a really good place to start but if you can find an existing asset list most of the work will already be done.
 
17:26 - Now bear in mind assets as it says on the screen there is anything which can add value to an organization and therefore requires protection for the identification of assets bear in mind that an information system consists of more than just hardware and software and as common as they can see with organizations first implementing it asset identification should be formed as a suitable level of detail that provides sufficient information for a risk assessment to take place.
 
17:53 - The level of detail used on the asset identification influences the overall amount of information which is collected during the risk assessment the level can be refined in further iterations of the risk assessment you will visit this again an asset owner should be identified for each asset and this provides responsibility and accountability for the asset.
 
18:14 - The assets owner perhaps does not have the property rights to the asset but does have a responsibilities for its production development maintenance use and security as appropriate an asset owner is often the most suitable person to determine the assets value to an organization.
 
18:32 - A threat has the potential to harm assets such as information processes and systems and therefore organizations threats can be natural or human origin and can be accidental or deliberate both accidental and deliberate threat sources should be identified.
 
18:50 - A threat can arise from outside of the organization threats should be identified generically and by type so for example any of unauthorized actions physical damage technical failures etc then where appropriate individual threats within the generic class identified this means that no threat is then overlooked including anything unexpected, but the volume of work required is still limited some threats can affect more than one asset in.
 
19:19 - Such cases they can cause different impacts depending upon which of the assets are affected input into the threat identification and estimation of the likelihood of occurrence can be obtained from the asset owners or users from human resource staff from facility management experts etc there's a whole body of people who can contribute to threat identification.
 
19:43 - aspects of environmental and culture should definitely be considered when addressing threats internal experience from incidents and past assessments should be considered in the current assessment we've got some examples of this if it's not clear.
 
19:57 - Vulnerabilities can be identified in the following areas within the organization its processes and procedures in management routines in personnel within the physical environment it exists in within information system configuration hardware software or communications equipment and dependence on third parties or external bodies the presence of a vulnerability does not cause harm in itself as there needs to be a threat present to exploit a vulnerability.
 
20:28 - A vulnerability that has no corresponding threat may not require the implication of implementation of a control but it should be recognized, and it should be monitored for changes.
 
20:38 - It should be noted that an incorrectly implemented or malfunctioning control or a control which is being used incorrectly can itself be a vulnerability. A control can be effective or ineffective depending upon the environment in which it operates conversely a threat does not have to have a corresponding vulnerability and it may not result in a risk analysis of risk. You must identify the threats and vulnerabilities that apply to each asset. So for example, if the threat is a theft of a mobile device.
 
21:10 - For example that's a fairly common one the vulnerability is a lack of formal policy for mobile devices after you've done this you should assign impact and likelihood values based on your risk criteria you could use severity instead of impact probability instead of likelihood terminology doesn't have to be the same.
 
21:33 - Once you know the rules you can start finding out where the potential problems lie and what could happen to you but the start point is to list all of the assets then go with the threatened vulnerabilities related to those assets assess impact and likelihood for each combination of asset threat vulnerability and finally calculate a level of risk. So in my experience companies are usually aware of a limited number of the risks which are applicable to them, therefore, if you sit down and do this so SWOT and PESTLE are some really good ways of identifying this.
 
22:07 - You probably find it quite revealing and when you finish doing that, you'll start to appreciate some of the effort that you put into identification of risk and exactly where you are vulnerable, so as promised, here is a good example of everything we've just discussed in terms of asset threat vulnerability trying to bring it to life with a fairly common identified asset such as a laptop.
 
22:34 - The key thing here is to identify all the risks which are associated with a certain asset and also the vulnerability posed by these risks in this case here one asset has numerous threats with a number of vulnerabilities.
 
22:51 - So, it's not just a you know a laptop or the threat to the laptop there could be a number of things a threat or a malfunction or a theft or a loss there you go and then the vulnerabilities are identified, so you've got to do this kind of process for each of the information assets you start with.

TRIED AND TESTED
 
23:09 - So, in terms of methodology now you will need to weigh each risk against your predetermined levels of acceptable risk for example your risk appetite and this determines which risks you need to address and which ones you can ignore for the time being. Although some organizations have started to address every single risk they have thought about and that is not wrong five by five is one of the more middle of the road common examples I see and it works perfectly well.
 
23:38 - There's a good illustration of the kind of areas where you can make this applicable to wherever you are I see also seen four by four which forces people to select slightly higher or slightly lower risk or even a 10 by 10 which gives you a wider spectrum of risk consideration whatever works for you you've got to make it fit for where you live and make it workable for your team.
 
23:58 - So here we can see a 5x5 matrix with impact running vertically and likelihood running horizontally from here just by quickly assigning some color-coded values you can see where a risk is potentially considered high medium or low.

Conducting a Risk Assessment

QUANTITIVE OR QUALIATIVE
 
24:26 - So, quantitative versus qualitative quantitative risk analysis uses a scale which has numerical values rather than descriptive scales which are used in qualitative for both consequences and likelihood using data for a variety of sources. So the quality of analysis for quantitative risk analysis depends on the accuracy and completeness of numerical values and the validity of the models used quantitative analysis, in most cases will use historical incident data providing the advantage that it can be related directly to an information security objectives or concerns of an organization.
 
24:59 - A disadvantage is the lack of such data on new risks or where an organization has just started a risk assessment process you won't have data to refer to in some circumstances so clearly using a quantitative approach might be applicable when you're starting up.
 
25:22 - In financial terms quantitative risk assessments include a calculation of the single loss expectancy of a monetary value of an asset the way in which consequences and likelihood is expressed and the ways in which they are combined to provide a level of risk will vary according to the type of risk and the purpose for which the risk assessment output is to be used the uncertainty and variability of both consequences and likelihood should be considered in the analysis and communicated effectively.
 
25:52 - Qualitative risk analysis uses a scale of qualifying attributes to describe the magnitude of potential consequences so for example I've seen on the previous slide low medium and high and the likelihood that those consequences will occur an advantage of qualitative analysis is the ease of understanding by all relevant personnel while a clear disadvantage is the dependence of the subjective choice of the scale so what would medium risk be to one person might be high risk for another.
 
26:18 - For example now these scales can be adapted or adjusted to suit individual circumstances and different descriptions can be used for different risks qualitative risk analysis can be used as an initial screening activity to identify risks which require further analysis where this kind of analysis is appropriate for decisions.
 
26:40 - Again, qualitative risk comes into its own where the lack of numerical data exists or doesn't exist qualitative analysis should use factual information and data where it's available.
 
26:53 - Assigning probability and impacts risk is a subjective exercise some of this subjectivity can be eliminated by developing rating scales which are agreed upon by an organization from the start. Generally speaking, from experience now an organization must define an impact in likelihood levels that are relevant to the business and not trying to copy somebody else.
 
27:14 - ISO 27001 and 27005 do not state specifically whether these levels should be quantitative or qualitative high to low one to five one to 100 etc. The most important thing is that people understand their scoring in business terms which is why it's got to work for the organization you work in and be considered in that background.
 
CRITERIA – IMPACT
 
27:38 - So now you're conducting the risk assessment you're really starting to have a look at things you've got to look at impact is usually measured in terms of CIA. So, confidentiality integrity and availability this can include financial reputation and regulatory impact.
 
27:55 - And also, information security and operational impacts once you've analyzed risk you need to evaluate risk and they evaluate them further to establish where they fit in terms of your risk appetite only once you've done this can you decide the appropriate way to treat a risk.
 
28:12 - This means you should be able to quickly identify where your highest risks are and create a prioritized list of which risks to address and in what order you're going to approach them.
 
28:22 - It's particularly important to identify whether or not a risk falls within or outside of your predetermined level of acceptable risk when risk owners say that they will accept a risk of, for example, nine they must be prepared to accept a business situation such as this is the equivalent of the loss of 250 000 pounds every year rather than the less relevant.
 
28:44 - Impact of three likelihood of three in practice there is a link between impact and threat and vulnerability and likelihood as similar threats tend to produce impacts on business and similar vulnerabilities produce similar likelihoods impact types could include, human, financial, legal, regulatory, reputation, and operational considerations.
 
Likelihood factors could include frequency of occurrence previous occurrence current levels of security control the size of the attack group and knowledge of a vulnerability above the attack.

IMPACT LEVEL
 
29:24 - I’ll just present also in one go, okay, so this this isn't a definitive answer this is just an example put together to give you an illustration of what it could mean in terms of impact level and trying to use some sort of quantitative and qualitative approach and the following hopefully bring to life what we've just covered and provide some kind of guidance in your own mind to help you visualize where this stands in terms of your own business rules this is not a hard fast example of things I've seen this is just to give you a flavour of the kind of things to consider.

Risk Treatment

4 OPTIONS
 
30:05 - So of course, not all risks are created equal you have to focus on the most important risks the so-called unacceptable risks which fall above your risk threshold there are four options to choose from to mitigate each identified unacceptable risk.
 
30:23 - Now the terminology on screen there says modify transfer avoid accept but you can use treat, tolerate, transfer, terminate, it doesn't matter as long as the terminology used is understood.
 
30:34 - By all so we'll keep with the terminology as seen on screen so when you modify you apply security controls which are contained in Annex A to decrease the risks when you transfer the risks from the party for example an insurance company then you move that risk away from your ownership.
 
30:55 - You can avoid the risk altogether by stopping any activity which is deemed to be too risky or by approaching that particular activity in a different way you can choose if you wish to accept a risk if you've identified it as a high risk and you cannot modify you can't transfer you can't avoid it and you can accept that risk.
 
31:15 - But risk ownership must agree that this has a high-risk process and must be retained and this is where everybody is different and where things need to be a little creative. How do you decrease a risk with minimum investment it would be easy of course if budgets were unlimited but that's never going to happen and I must tell you that unfortunately some of the management is right it is possible to achieve some results with less money you just need to figure out how and select appropriate controls and ensure those controls are effective.
 
31:48 - As mentioned at the start and there are four there are four options to risk treatment, we will predominantly now focus on modify because that's where Annex A of the standard comes into play and treat is a process used to ensure that information risks are reduced to an acceptable level and this action should be in line with the level of risk posed to the information assets and this is normally by adding strengthening security controls to reduce either the likelihood of vulnerability.

CONTROL MEASURES – ANNEX A
 
32:17 - We do this using Annex A so within the standard ISO 27001 at clause 6.1.3 there is a description of how an organization can respond to risks with a risk treatment plan an important part of this is choosing appropriate controls.
 
32:34 - Within Annex A of 27001 there are 114 controls those are split amongst 18 controlled domains which is shown on the screen there.
 
32:48 - Now information security policies have a list of controls and how policies are written and reviewed. Organization of information security contains controls and how the responsibilities are assigned within the management system it also includes controls for mobile devices and teleworking which hopefully everybody's read recently. Human resource security these controls contain
 
33:13 - information on actions to be taken prior during and after employment asset management contains controls related to the inventory of assets and acceptable use and also for information classification and media handling access controls contain controls for access control policies user access management system and apple application access control and responsibility for users.
 
33:38 - Cryptographic controls relate to the encryption of data and key management physical and environmental security controls define secure areas entry procedures protection against physical threats equipment security secure disposal clear desk clear screen etc. Operational security contains
 
33:58 - controls related to the management of IT production change management capacity management malware backup logging monitoring installation vulnerabilities etc.
 
34:07 - Communication security controls relating to network security segregation in networks and transfer of information in electronic passages, for example, system acquisition development and maintenance contains controls specific to software engineering and security requirements in development and support process supply relations.
 
34:30 - Controls on what to have in in agreements and how to monitor suppliers incident management controls identifies the requirement to control the reporting of events any weaknesses defining responsibilities within information security incident management system and collection of evidence security aspects of business continuity management now this one has come to the fall.
 
34:54 - Recently these controls I specified the planning of a business continuity plan the procedures involved and the verification and review activity and ensure that an organization has redundancy and failovers in this information hosting and processing facilities and finally in compliance domain there are controls through the identification of applicable laws and relations into intellectual property protection personal data protection and reviews of information security.
 
35:25 - So Annex A within those domains sets out 114 good practice security controls the controls use the word should and therefore are neither mandatory nor exhaustive this means that organizations with different levels of risk will apply these controls to different levels of strength although ISO  27001 doesn't require you to use the Annex A controls exclusively you do have to check the controls you select from elsewhere against those within Annex A to ensure that each risk is appropriately mitigated.
 
36:00 - Once you've selected your controls you need to produce a statement of applicability.
 
CONTROL MEASURES – ANNEX A & STATEMENT OF APPLICABILITY
 
36:05 - This is one of the most important documents in 27001 it should identify the controls you've selected to address the risks you've identified explain why you've selected those controls state whether or not they've been implemented and explain why you have selected to omit some control.
 
36:25 - It therefore stands to reason that there will be at least 114 entries in your statement of applicability one for each Annex A control all of which will include extra information about each control and ideally linked to relevant documentation of the policy.
 
36:41 - A risk assessment report can be very long so an SOA is a useful document for everyday operational use a simple demonstration the controls have been implemented and a useful link to the relevant procedure think of this as an index within your management system.
 
36:56 - This statement of applicability actually shows the security profile of your company this is based on the results of the risk assessment treatment this treatment and you will need to list all of the controls you've implemented why you've implemented them and how this document is really important because a certification auditor will use it as a main guideline for the audit.

4 OPTIONS CONCLUSION
 
37:18 - So, we look to treat there and that was one of the options and we've delved into detail. Of course, there were others you could share which is generally done by insuring or outsourcing a process.
 
37:32 - Although you would typically still suffer the impact you can share the risk with somebody better able to mitigate this risk and this shifts part of the risk to another organization contractually to a business partner for example ID support services an organization cannot transfer ownership of the risk you could avoid or terminate and this ends the activity or the circumstances, which cause the risk. For example, by not carrying out the activity or by moving locations if that's
 
38:00 - what it takes and this occurs when there's no cost effective action to reduce the risk and it may choose may involve choosing an alternative to the activity which meets the same business need and then finally there's tolerate or accept and this is more commonly a risk which is not able to be treated or not able to be transferred.
 
38:23 - And you definitely can't stop this activity although the risks still prevent persists so ultimately it's identified to top management and I assigned appropriate level of ownership no action should be taken however they should be documented and communicated.
 
38:42 - And risk treatment plan this is the end of it this is the step where you've moved from theory to practice let's be honest all now this all we've done so far is this whole risk management.

RISK TREATMENT PLAN
 
38:52 - Process is purely theoretical but now it's time to show results this is where the risk treatment plan comes into play the purpose of the plan is to define exactly who's going to implement a control.
 
39:04 - The time frame is when in which is going to be completed and with what budget etc. I’d like to call this document and implementation plan or action plan but the terminology within the standard says risk treatment plan.
 
39:17 - Once you've written in this document it's crucial to get management approval because it may take time and money to implement all of the controls you've selected and planned without management commitment you're probably not going to get any of these resources.
 
39:30 - And that's it you've started your journey from not knowing how to set up your security all the way through to having hopefully a clear picture of what you need to do to implement a risk management process the point is 27001 forces you to make this journey in a systematic way.

Questions and Answers

39:48 - And that's it from me please feel free to visit our website for additional content like i said before there's an Annex there is a 27001 implementation guide and a quick review of the Annex A controls that'll be enhanced by another document which is coming online soon which is more detail about the statement of applicability. There are other
 
40:09 - channels available my email address is on there if you have any questions if you've got to leave us now and then please feel free to drop me a line further down the line but thank you very much for joining us it's been a pleasure to talk to you I will now address any questions which are contained from this webinar. So David has asked me to clarify what 18 domains so if i go back.
 
40:53 - What i meant by that David is quite simply if, sorry 14 not 18 my bad so I read that wrong so there's 14 there sorry and so A. 5 through to A. 18. So I got caught up by reading the 18 there in compliance but there are 14. I’m sorry.
 
41:18 - Very forgiving, thank you Dave and you can download.
 
41:21 - So, Natalya it I hope I’ve said your name right there you can download this this webinar will be sent to you via email by the marketing team once we've closed down for the day so you've got a reference guide if you go to the NQA webpage I’ll go to the end.
 
41:43 - So, if you go to the NQA webpage and there so www.nqa.com and you click on resources and information security you'll see an implementation guide further if you look at the blogs and webinars then you can have a copy of all the recent webinars around the information security and direct access to some of the blogs we've written so there's a whole host there's all resource pool there for you to use. If you look at implementation of this. Thank you, Damian good to see you hope you're well.
 
42:40 - I’m going to stay on for another couple of minutes just in case anybody's got any questions which are burning but like i said you will get a copy of this webinar and you have my email address contained within that so if it's a couple of weeks from now and you're reviewing this and you just want to ask a question about risk assessments treatment for example then please do drop me a line and I'll attempt to answer your question.
 
43:28 - Okay I don't think I'm going to get any more questions for that for today but thank you very much for joining us stay tuned we've got another one Friday.
 
43:38 - Oh, there is questions all right okay sorry mike so thanks another help resources so yeah, I'll tell you what if my email address is on the on the screen there if you want a direct link to where some of the resources, we've got such as the implementation guide the other webinars out there the blogs anything information security related which NQA is released which you may find helpful.
 
44:05 - Drop me an email and I'll respond with a link direct to the bits of information I’m referring to.
 
44:31 - So, vincente i hope I’m pronouncing your name right there and so how he asked how and easier for an organization that has ISO 9001 to get 27000 okay now if you've got 9001 you will have had to have done a lot of the legwork which is required within an information security management system.
 
44:54 - So you'll have a process for identifying context for example you'll have a risks and opportunities register hopefully you'll have an idea on support resources communication awareness you'll have an internal audit process you'll have a management review process you'll have an improvement channel.
 
45:13 - So you've got to use those what you did the primary difference between 9 and 27 is the identification of information specific assets which forces you then to look at the Annex A controls and then apply those controls against the risk to the assets. So there's a bit more work to do on the risk process specifically in terms of generation of documentation about risk assessment this is usually done in the form of a risk register and then all of the information which is required in the standard is populated within register so there is work to do.
 
45:46 - But it is achievable quite simply once you know the risks to your information assets then you can use the controls in Annex to see if it applies to treatment of those risks you've identified.
 
45:58 - So, it's something a lot of organizations with an existing management system do I know there's a similar question about um comparison to another standard there so yes so if you have another information sorry another management system in place with you know clause 4, 5, 6, 7, 8, 9, 10 it's the same for 27001 the big difference comes in that risk identification.
 
46:22 - And then the treatment of your risks is using controls also contained within the standard so that's the big difference there and if you look at the implementation guide which you know like I said if you email me, I'll send you a link to the implementation.
 
46:39 - It actually points those things out within there so when you get to clause 6 there's a little bit more work to do on risk planning and then operational risk treatment around the operational area using Annex A controls but it all it's all sort of joined together however, you can bolt on your internal audit management review etc to the things you've got already so if you've got a system in place you've got a really good foundation to achieve 27001.
 
47:15 - It's fine honestly please to ask your question answer your question I hope didn't do too much bad stuff to your name there.
 
47:24 - Clive I know you can't give consultancy but have you seen the nice information have you seen a nice information security risk assessment template okay so yes I have you know I’ve seen some really good examples of that on the road and I’ve seen some not so good examples and in 27001 in an information security management system for an organization that's been up and running for a little while then you might want to consider a risk register you know all the information should hopefully be hosted within there so what is your asset what is the risk  
 
47:55 - to that asset what is what is the scoring you give to that risk the only separate document from that should in some circumstances could be the methodologies to describe how you arrive at various schools such as impact levels and then where you define your risk of impact criteria so,
 
48:11 - then there are plenty of websites which you can use using a search engine which show you a information security risk register so and it's got all the columns required in some circumstances like I said.
 
48:26 - I can't specifically provide you with a template but if you want to satisfy check something you have created ahead of an audit then I’ll be pleased to cast my outlook.
 
48:42 - You're very welcome.
 
48:46 - Roger so can you explain this as defined in standard 6.13 clause 6.13 of ISO 27001 yeah so I think that's kind of the question I was just.
 
48:59 - So towards the end there it says with 6.13 it says in in layman's terms keep it simple but the standard says that you must go to Annex A create a document called a statement of applicability which lists every single one of the 114 controls okay you start there by listing that then what you do is you indicate whether or not you're going to use that control against the risk you've identified so you've got to start at the risk asset what are my assets.
 
49:28 - What is the risk to those assets and then how do I control that and that's where you 6.13 says create the statement of applicability you list all of them and then choose whether or not you're going to use those controls against the risks you've identified okay and that the statement of applicability then becomes your sort of index to your entire ISMS because it tells you where your controls exist and what risks you have.
 
49:55 - Yeah right sorry Roger everybody who everybody is on listen only mode for webinars but you have my email address there so if you have so a couple of questions you want to ask then please feel free to email me direct okay.
 
50:48 - Okay I think dare say that maybe it but yeah okay so thanks very much for joining us guys hopefully see you again soon there's another one Friday for business continuity 22301 so if you're free please do join us for that otherwise I look forward to speaking with you again soon take care.