ISO 27001 Risk Assessment: A Business Process Approach

TL;DR

This guide shows you how to do a risk assessment for ISO 27001 using your business processes. It’s about finding what could go wrong, how bad it would be, and what you can do about it – all linked to the things your company actually *does*.

Step-by-step Guide

1. Identify Your Business Processes:

• Start big. Think of core areas like Sales, Marketing, Finance, HR, IT Support, Operations, etc.
• Break these down into smaller processes. For example, ‘Finance’ becomes ‘Invoice Processing’, ‘Expense Claims’, ‘Payroll’. Aim for processes that have clear inputs and outputs.
• Document each process – a simple flowchart or written description is fine.

Asset Identification:

• For *each* business process, list the assets involved. Assets are anything valuable to your company. Examples:
  • Information: Customer data, financial records, intellectual property
  • Systems: Servers, laptops, software applications
  • Physical: Buildings, equipment
  • People: Skills and knowledge

Threat Identification:

• For each asset in each process, brainstorm potential threats. What could harm it? Examples:
  • Malware
  • Data breaches
  • Hardware failure
  • Human error
  • Natural disasters
  • Insider threats

Vulnerability Identification:

• For each threat, identify vulnerabilities. What weaknesses make the asset susceptible? Examples:
  • Outdated software
  • Weak passwords
  • Lack of backups
  • Poor physical security
  • Insufficient staff training

Likelihood Assessment:

• For each threat/vulnerability pair, estimate the *likelihood* of it happening. Use a simple scale:
  • Low: Unlikely to occur
  • Medium: Possible to occur
  • High: Likely to occur

Impact Assessment:

• For each threat/vulnerability pair, estimate the *impact* if it happened. Use a simple scale:
  • Low: Minor disruption
  • Medium: Significant disruption, some financial loss
  • High: Major disruption, significant financial loss, reputational damage

Risk Calculation:

• Calculate the risk level. A simple method is:

  Risk = Likelihood x Impact

• Create a risk matrix to visualise this (example):
  

  	Low Impact	Medium Impact	High Impact
  Low Likelihood	Low Risk	Low-Medium Risk	Medium Risk
  Medium Likelihood	Low-Medium Risk	Medium Risk	High Risk
  High Likelihood	Medium Risk	High Risk	Very High Risk

Risk Treatment:

• For each risk, decide what to do:
  • Avoid: Stop the process. (Rarely practical)
  • Transfer: Use insurance or outsourcing.
  • Mitigate: Reduce likelihood *or* impact with controls. This is most common.
    • Implement stronger passwords
    • Install firewalls and antivirus software
    • Train staff on security awareness
    • Create regular backups
  • Accept: Do nothing (only for low risks).

Document Your Findings:

• Keep a Risk Register. This should include:
  • Process name
  • Asset
  • Threat
  • Vulnerability
  • Likelihood
  • Impact
  • Risk Level
  • Treatment plan
  • Owner (who is responsible for the treatment)

Review and Update:

• Risk assessments aren’t one-off tasks. Review them regularly (at least annually, or when significant changes occur).