Clause 6.1.2 -infosavvy

ISO 27001 Clause 6.1.2 Information security risk assessment process

Required activity

The organization defines and applies an information security risk assessment process.


The organization defines an information security risk assessment process that:

  • Establishes and maintains;
  • The Risk acceptance criteria;
  • Criteria for performing information security risk assessments, which may include criteria for assessing the consequence and likelihood, and rules for the determination of the extent of risk;
  • Ensures that repeated information security risk assessments produce consistent, valid and comparable results.

The information security risk assessment process is then defined along the subsequent sub-processes:

Identification of data security risks:
  • Identify risks related to the loss of confidentiality, integrity and availability for information within the scope of the ISMS;
  • Identify the Risk owners related to these risks, i.e. identify and appoint persons with the acceptable authority and responsibility for managing identified risks.
Analysis of the knowledge security risks:
  • Assess the potential consequences just in case the identified risks materialize, e.g. direct business impacts like monetary loss or indirect business impacts like damage in reputation.
  • Assessed consequences are often reported with quantitative or qualitative values;
  • Assess the realistic likelihood of occurrence of the identified risks, with quantitative (i.e.probability or frequency) or qualitative values;
  • Determine the amount of identified risk as a predefined combination of assessed consequences and assessed likelihoods;
Evaluation of the knowledge security risks:
  • Compare the results of risk analysis with the Risk acceptance criteria established before;
  • Prioritize the analysed risks for risk treatment, i.e. determine urgency of treatment for risks
    That are considered as unacceptable, and sequence if several risks need treatment.
  • The information security risk assessment process is then applied.
  • All steps of the knowledge security risk assessment process also because the results of its application are retained by the organization as documented information.

Implementation Guideline

The information security risk criteria should be established considering the context of the organization and requirements of interested parties and will be defined in accordance with top management’s risk preferences and risk perceptions on one hand and will leave a feasible and appropriate risk management process on the opposite hand. The information security risk criteria should be established in reference to the intended outcome(s) of the ISMS. The criteria concerning information security risk assessment that consider the assessment of likelihood and consequences should be established. Further, risk acceptance criteria should be established.
After establishing criteria for assessing consequences and likelihoods of data security risks, the organization should also establish a way for combining them so as to work out A level of risk. Consequences and likelihoods could also be expressed during a qualitative, quantitative or semi quantitative manner.

Risk acceptance criteria relates to risk assessment (in its evaluation phase, when the organization should understand if a risk is suitable or not), and risk treatment activities (when the organization should understand if the proposed risk treatment is sufficient to succeed in a suitable level of risk).Risk acceptance criteria are often supported a maximum level of acceptable risks, on cost-benefits considerations, or on consequences for the organization. The risk acceptance criteria should be approved by the responsible management.

Producing consistent, valid and comparable assessment results

  • The risk assessment process should be supported methods and tools designed in sufficient detail in order that it results in consistent, valid and comparable results.
  • Whatever the chosen method, the knowledge security risk assessment process should ensure that:
    all risks, at the needed level of detail, are considered;
  • Its results are consistent and reproducible (i.e. the identification of risks, their analysis and their evaluation are often understood by a 3rd party and results are an equivalent when different persons assess the risks within the same context);
  • The results of repeated risk assessments are comparable (i.e. it’s possible to know if the amount of risk are increased or decreased).
  • Inconsistencies or discrepancies within the results when the entire or a part of the knowledge security risk assessment process is repeated can indicate that the chosen risk assessment method isn’t adequate.

Identification of data security risks

Risk identification is that the process of finding, recognizing and describing risks. This involves the identification of risk sources, events, their causes and their potential consequences. The aim of risk identification is to get a comprehensive list of risks supported those events which may create, enhance, prevent, degrade, accelerate or delay the achievement of data security objectives.
Two approaches are commonly used for the identification of data security risks:

Event-based approach: considers risk sources during a generic way. Events considered can have happened within the past or are often anticipated for the longer term . within the first case they will involve historical data, within the second case they will be supported theoretical analysis and expert opinions;
This approach supports identification of assets, threats, and vulnerabilities: considers two differing types of risk sources: assets with their intrinsic vulnerabilities, and threats. Potential events considered here are ways on how threats could exploit a particular vulnerability of an asset to impact the organization’s objectives.Other approaches of risk identification could also be used if they need proven an identical practical usefulness and if they will make sure the requirements in.

NOTE The approach supported assets, threats, and vulnerabilities corresponds to the knowledge security risk identification approach by, and compatible with, the wants in ISO/IEC 27001 to make sure that previous investments in risk identification aren’t lost.It is not recommended that the risk identification be too detailed within the first cycle of risk assessment. Having a high level but clear picture of the knowledge security risks is way better than having no picture in the least.

Analysis of the knowledge security risks

Risk analysis has the target to work out the extent of the Risk. ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001 requires that for every identified risk the Risk analysis is predicated on assessing the results resulting from the Risk and assessing the likelihood of these consequences occurring to work out A level of risk.

Techniques for risk analysis supported consequences and likelihood can be:
Qualitative, employing a scale of qualifying attributes (e.g. high, medium, low);
quantitative, employing a scale with numerical values (e.g. monetary cost, frequency or probability of occurrence); or semi-quantitative, using qualitative scales with assigned values.

Whatever technique for risk analysis is employed , its level of objectivity should be considered.
There are several methods for analysing the risks. the 2 approaches mentioned (event based approach and approach supported identification of assets, threats, and vulnerabilities) are often suitable for information security risk analysis. Risk identification and analysis processes are often best when administered with the assistance of experts within the relevant risks under discussion.

Evaluation of the knowledge security risks

Evaluation of analysed risks involves using the organization’s deciding processes to match the assessed level of risk for every risk with the pre-determined acceptance criteria so as to work out the Risk treatment options.

This final step of the Risk assessment verifies whether the risks that are analysed within the previous steps are often accepted consistent with the acceptance criteria defined under or need further treatment. The step in delivers information about the magnitude of the Risk but no immediate information about the urgency of implementing risk treatment options. counting on the circumstances during which risks occur, they will have different priorities for treatment. Therefore, the output of this step should be an inventory of risks in priority order. it’s useful to retain further information about these risks from the risk identification and risk analysis steps to support decisions for risk treatment.

ISO 27001 Requirements

Clause 4.2 Understanding the needs and expectations of interested parties 
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities 
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement  

ISO 27001 Annex A Controls

Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights  
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights 
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs 
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews

About ISO 27002

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment

Your email address will not be published. Required fields are marked *