TL;DR
This guide shows you how to do a risk assessment for ISO 27001 using your business processes. It’s about finding what could go wrong, how bad it would be, and what you can do about it – all linked to the things your company actually *does*.
Step-by-step Guide
- Identify Your Business Processes:
- Start big. Think of core areas like Sales, Marketing, Finance, HR, IT Support, Operations, etc.
- Break these down into smaller processes. For example, ‘Finance’ becomes ‘Invoice Processing’, ‘Expense Claims’, ‘Payroll’. Aim for processes that have clear inputs and outputs.
- Document each process – a simple flowchart or written description is fine.
- Asset Identification:
- For *each* business process, list the assets involved. Assets are anything valuable to your company. Examples:
- Information: Customer data, financial records, intellectual property
- Systems: Servers, laptops, software applications
- Physical: Buildings, equipment
- People: Skills and knowledge
- Threat Identification:
- For each asset in each process, brainstorm potential threats. What could harm it? Examples:
- Malware
- Data breaches
- Hardware failure
- Human error
- Natural disasters
- Insider threats
- Vulnerability Identification:
- For each threat, identify vulnerabilities. What weaknesses make the asset susceptible? Examples:
- Outdated software
- Weak passwords
- Lack of backups
- Poor physical security
- Insufficient staff training
- Likelihood Assessment:
- For each threat/vulnerability pair, estimate the *likelihood* of it happening. Use a simple scale:
- Low: Unlikely to occur
- Medium: Possible to occur
- High: Likely to occur
- Impact Assessment:
- For each threat/vulnerability pair, estimate the *impact* if it happened. Use a simple scale:
- Low: Minor disruption
- Medium: Significant disruption, some financial loss
- High: Major disruption, significant financial loss, reputational damage
- Risk Calculation:
- Calculate the risk level. A simple method is:
Risk = Likelihood x Impact - Create a risk matrix to visualise this (example):
Low Impact Medium Impact High Impact Low Likelihood Low Risk Low-Medium Risk Medium Risk Medium Likelihood Low-Medium Risk Medium Risk High Risk High Likelihood Medium Risk High Risk Very High Risk - Risk Treatment:
- For each risk, decide what to do:
- Avoid: Stop the process. (Rarely practical)
- Transfer: Use insurance or outsourcing.
- Mitigate: Reduce likelihood *or* impact with controls. This is most common.
- Implement stronger passwords
- Install firewalls and antivirus software
- Train staff on security awareness
- Create regular backups
- Accept: Do nothing (only for low risks).
- Document Your Findings:
- Keep a Risk Register. This should include:
- Process name
- Asset
- Threat
- Vulnerability
- Likelihood
- Impact
- Risk Level
- Treatment plan
- Owner (who is responsible for the treatment)
- Review and Update:
- Risk assessments aren’t one-off tasks. Review them regularly (at least annually, or when significant changes occur).