The real power and value of ISO 27001:2005 comes from the improved operational effectiveness achieved by implementing the management section requirements and the list of security controls.

When an organization implements the management requirements of the ISO 27001 Standard, not only do they safeguard assets through best practice controls, but more importantly, the organization is empowered with a risk assessment methodology that assures the proper treatment of all risks to the business.

Steps within the risk assessment framework

A risk assessment methodology may be undertaken in four steps.

1. Identify the organization’s assets and the owners of the assets. Know what you need to protect, and who is responsible.
2. Identify the threats to the assets, along with the vulnerabilities that may be exploited. This is an analysis of just how the assets may be compromised.
3. Identify the aspects and impacts that losses of confidentiality, integrity, and availability for each asset may have on the business. The organization determines what would be the business impact to the organization if the asset were to be compromised.
4. Assess the realistic likelihood of each threat/vulnerability pair leading to the compromise of each asset.

With the completion of these steps in the risk assessment methodology, the organization has the ability to quantify the risks it faces, make a conscious decision to accept individual risks, or set priorities on the implementation of security controls to mitigate the risks. The risk methodology selected does not have to be complex, expensive, or over-reaching; it must however ensure the risk assessments produce comparable and reproducible results.

The risk assessment methodology allows the organization to be ever responsive to new risks and to address each risk in a manner most suitable to the organization at that time. This means that when you have a well-structured risk assessment framework, you cannot only minimize negative impact from threats, but also maximize positive impact from opportunities. A well-implemented control may provide security for a time, but a well-established risk assessment methodology will provide the means for an organization to protect the business at all times.

Developing a risk treatment plan

With the risks to the organization more fully understood we are now ready to evaluate the various options for the treatment of risks.

Possible actions include:

• Avoid risks – Transfer the associated risks to other parties like suppliers or insurers.
• Knowingly accept risks – Apply appropriate security controls. If applying a security control is the preferred action in the treatment of a risk?

Control Objectives and Controls of ISO 27001:2005 provides a comprehensive list of security controls that have been found to be commonly relevant in most organizations. Implementing a security control is just one of many potential risk treatments. It is the established and operating risk assessment methodology that allows an organization to make an informed decision about risk treatment.

With regard to Information security, the nature of the issue is not just about technical IT security controls. Indeed, technical controls play a large role in protecting our information assets, but technology is only a part of the larger issue of risk management – protecting and ensuring the life and health of the business. The business of risk management is far too important to be left strictly to the IT department implementing technical controls.

Successful businesses demonstrate a strategic and comprehensive risk management focus rather than reacting to security incidents by implementing controls one-by-one. Successful organizations have a well-developed risk assessment methodology that systematically identifies and evaluates risks before security controls are selected and implemented. The best way to guide the appropriation of limited resources is to identify the organization’s most valued assets and understand the threats to those assets.

In order to lead the industry into establishing this risk assessment framework, organizations need to focus more on the management system aspects of ISO 27001:2005 and not start and end with the security controls.

What risk assessment information does ISO 27001 contain?

Excluding any of the requirements defined in the management section of ISO 27001:2005 is unacceptable if an organization claims compliance with the international standard. To be in compliance with the standard you must demonstrate the stablishment and use of a risk assessment methodology suited to the business, considering information security, legal, and regulatory requirements. The risk assessment approach must also define the criteria for accepting risks and identify acceptable levels of risk. The standard also provides the framework for conducting risk assessments and risk treatment, leading to the selection of the proper security controls.