ISO27001 – Clause 6.1 – Actions to address risks and opportunities!

Information security risk management is the set of actions taken by an organization to understand and reduce the effects of risk.

Clause 6.1 of ISO 27001 addresses actions to identify threats, estimate their risk levels and manage the action plan to prevent or repair the impact of these risks.

Photo by JESHOOTS.COM on Unsplash

In the first place, this clause of ISO27001 is more elaborate than the other clauses, mainly because it is central to the Information Security Management System (ISMS) implementation project.

It’s central because we need to identify the elements, risks and threats that prevent our company from continuing to perform well and achieve its objectives.

Clause 6.1 -Generality

The first clause, number 6.1.1, offers us a guide to judging our risk management practices according to very precise criteria.

The organization must have documented a risk analysis method.

A review of the risk management method should identify the following items, which represent the success criteria of a good risk analysis method.

So our method must:

• Facilitate the achievement of ISMS objectives.
• Mitigate and minimize the impact of risks.
• Promote and facilitate continuous improvement.
• Integrate into the organization’s safety program.
• Provide the means to assess the effectiveness of our risk responses.
• Be repeatable and produce similar results from one evaluation to the next!

Clause 6.1.2 – Assessment of information security risks

Clause 6.1.2 of ISO 27001 requires the organization to assess information security risks based on defined criteria.

The purpose of this clause is to enable the organization to***identify ***and ***prioritize ***information security risks to determine the appropriate security measures to be implemented.

Where do threats and vulnerabilities come from?

A risk analysis begins with an analysis of the threats to our organization and the vulnerabilities we face.

The relationship between a threat and a vulnerability is that the threat exploits the vulnerability to cause damage or loss.

In other words, a vulnerability represents an “opening“that a threat can use to attack a system.

In effective risk management, the aim is to understand and manage both threats (e.g. by implementing security measures to deter them) and vulnerabilities (e.g. by correcting or mitigating them).

1. Threat: A threat is something that could cause damage to an information system. Threats can come from a variety of sources, including malicious attackers, human error, natural disasters, or technical failures. Threats can be intentional (such as a hacker attempting to penetrate a system) or unintentional (such as an employee accidentally deleting important data).
2. Vulnerability: A vulnerability is a weakness in an information system that could be exploited by a threat. For example, software that has not been updated and contains known security flaws is a vulnerability. Similarly, the absence of appropriate password policies or security awareness training for employees can also be considered a vulnerability.

So our first step would be to obtain this information, and there are several sources available:

• Taking into account the safety issues identified in the organization’s context (see clause 4)
• By carrying out a security audit or test to determine the organization’s vulnerabilities.
• Determine what could go wrong with our assets and systems.
• Analysis of the market and our industry, there may be trends or events specific to the sector.
• Threat monitoring through security bulletins, analyst reports and specialized forums.
• Training and raising employee awareness not only helps to prevent certain threats, but also to obtain information from them about the organization’s vulnerabilities and weaknesses.

---

Example of vulnerability

1. Software not updated: Operating systems, applications and firmware that have not been updated may contain known security vulnerabilities.
2. Poor security configurations: These can include badly configured servers, firewalls with overly permissive rules, user accounts with excessive privileges or unnecessary services that are left running.
3. Lack of security awareness: Employees who are not properly trained in basic security practices may be vulnerable to phishing, install malware or accidentally compromise corporate security.
4. Use of weak or compromised passwords: User accounts with easily guessed, reused or previously compromised passwords are an easy target for attackers.
5. Lack of access controls: If access to systems and data is not properly controlled, sensitive information can be exposed to unauthorized parties, including attackers.

Example of a threat

1. Phishing attacks: These are attempts to obtain sensitive information, such as login credentials or credit card information, by posing as a trusted entity in an electronic communication.
2. Ransomware: A type of malware that encrypts a user’s data and then demands a ransom in exchange for the decryption key.
3. Brute-force attacks: these consist of trying out numerous password combinations in order to correctly guess a password.
4. Social engineering attacks: these manipulate people into giving access to sensitive information or secure systems. This can be achieved through deception, manipulation or identity theft.
5. Internal attacks: These come from people within the organization, such as employees, contractors or others with legitimate access to systems. These attacks can be intentional (e.g. espionage or data theft) or unintentional (e.g. errors or negligence).

---

Determining the overall risk of threats

For each previously discovered threat and vulnerability, we determine its overall risk level.

The overall level of risk can be measured by the following formula:

Overall risk = Impact x Probability

So, to determine the risk, we need to determine the value of the impact and the probability of occurrence of a threat.

Determining our risk assessment approach

There are several approaches to risk assessment, which can be qualitative, semi-quantitative or quantitative, and the organization must determine in its documentation which approach it intends to use so that the method is repeatable.

• Qualitative approach: Risks are classified according to qualitative descriptors, such as low, medium, high. This approach is often used when data is limited or when risks are difficult to quantify.
• Semi-quantitative approach: This approach uses a combination of qualitative descriptions and numerical scores to assess risks. (For example, a risk could be classified as “low” (1), “medium” (2) or “high” (3) in terms of probability and impact.
• Quantitative approach: Risks are assessed in terms of specific numerical values. For example, risk could be expressed in terms of potential financial loss or system downtime. This generally requires more data and a more complex analysis.

Determine the probability

The probability of a risk is an assessment of the potential for an undesirable event to occur.

The exact method for determining probability levels may vary according to the type of risk, the industry, and the specific organizational context. Some organizations may use a quantitative scale (for example, a probability from 0 to 1, or a percentage from 0 to 100%), while others may prefer a qualitative or semi-quantitative scale.

Here’s an example of how an organization could define the probability levels of a risk on a qualitative scale:

1. Very low: Unlikely to occur.
2. Low: The risk could occur, but is unlikely.
3. Moderate: There is a fair chance that the risk will occur.
4. High: The risk is likely to occur.
5. Very high: The risk is almost certain to occur.

Note that these levels are subjective and need to be adapted to the specific context of the organization. To be effective, probability assessment must be carried out by people with a good understanding of the risk and the context in which it occurs.

Impact

The impact of a risk refers to the severity of the consequences should the risk materialize. Impact assessment is an essential component of risk analysis, and can be qualitative, semi-quantitative or quantitative, depending on the context and requirements of the organization.

As with probability, impact levels can be defined in different ways. Here’s an example of how an organization might define the impact levels of a risk on a qualitative scale:

1. Very low: The impact on the organization would be negligible or non-existent.
2. Low: The impact would be minor, with few consequences for the organization’s operations, reputation or profitability.
3. Moderate: The impact would be significant and could result in moderate disruption to operations or damage to the organization’s reputation.
4. High: The impact would be significant, with serious consequences for the organization, such as major interruption of operations, significant damage to reputation or significant financial loss.
5. Very high: The impact would be extreme and could threaten the viability of the organization.

It’s important to note that the impact of a risk can have several dimensions. For example, there may be an impact on finances, reputation, health and safety, regulatory compliance, and other areas. Impact assessment must take these dimensions into account.

---

Determine your risk tolerance

Determining what’s red for the organization

Risk appetite, also known as risk tolerance, is a measure of how much risk an organization is willing to accept in pursuit of its objectives.

Risk appetite can vary considerably from one organization to another. Some companies are more conservative and seek to minimize risk as much as possible, while others are more aggressive and willing to take greater risks in the hope of greater gains.

It is necessary for an organization to clearly define its risk appetite, as this helps guide decisions on how to manage risk.

For example, if a certain risk is above the organization’s risk appetite level, steps will need to be taken to reduce that risk.

---

Risk assessment

Risk assessment or evaluation is the process by which an organization determines the seriousness of a potential risk. This process generally comprises two main stages: risk analysis and risk assessment.

1. Risk analysis: Prioritize risks and list them. Always according to the formula Overall risk = Probability x Impact.
2. Risk assessment: The overall risk is compared with the risk acceptance threshold to decide whether the risk is significant, acceptable or not.

---

Clause 6.1.3 – Dealing with information security risks

Clause 6.1.3 of ISO 27001 requires the organization to establish and implement a process for *dealing with *information security risks. This process must be based on the information security risk assessment carried out in accordance with clause 6.1.2.

The risk treatment process must include the identification of risk treatment options, such as risk acceptance, treatment, transfer or avoidance. The organization must select appropriate risk treatment measures on the basis of criteria such as costs, benefits and feasibility.

Risk treatment plan

In the previous steps, the organization determined its threats, vulnerabilities and overall risks, and put these results in order.

These risks need to be managed. Each risk must be addressed in one of these ways:

Accepting risk means recognizing that a specific risk exists and deciding not to take specific measures to mitigate or transfer it.

Risk acceptance may be an appropriate option in several scenarios. For example, if the cost of implementing a control to mitigate the risk is greater than the potential impact of the risk itself, a company may choose to accept the risk. Furthermore, if a risk has a low probability of occurring and would have a minor impact if it did, an organization may also decide to accept the risk.

Accepted risks must be monitored periodically to ensure that their level remains acceptable to the organization.

When risks are accepted, they must be formally documented, usually in the organization’s risk register, and approved by management or another appropriate stakeholder.

***Eliminating risk means taking action to remove a specific risk entirely. This action usually involves removing the cause of the risk, or changing the process or activity that is causing the risk. ***

For example, if an organization identifies a risk associated with the use of a certain type of hardware or software, it may choose to eliminate that risk by ceasing to use that hardware or software.

Similarly, if a company identifies a risk associated with a certain business practice, it can choose to eliminate that risk by changing or discontinuing that practice.

Reducing risk means taking measures to reduce the probability of a risk occurring, or to reduce the potential impact if the risk does occur.

This is one of the key strategies for managing risk, and is often used when the risk is deemed too high to be acceptable in its current state.

The organization must determine a source of security measures to be implemented to reduce risk. The source of these security measures, used by the majority of organizations, can be found in Annex A of ISO 27001. (See Creating a declaration of applicability below).

***Transferring risk means shifting the responsibility or burden of risk to another party. This does not eliminate the risk, but rather reduces the organization’s exposure to it. ***

The most common example of risk transfer is insurance. For example, a company may take out insurance against fire, flood or theft. If one of these events occurs, the insurance company will cover the costs, reducing the financial burden on the business.

Another example is outsourcing, where a company can transfer certain operational risks to an external service provider. For example, a company may choose to outsource the management of a data center.

The transfer of risk may entail other types of risk, such as the risk that the party to whom the risk is transferred may not be able to fulfill its obligations. Therefore, when transferring risk, it is important to ensure that the other party is able and willing to manage the risk properly.

Note that it’s not possible to refuse the risk – it exists, whether you agree with it or not!

---

Creating a declaration of applicability

The Statement of Applicability (SoA) is a key document that describes which information security controls are applicable, and justifies the relevance of these controls to the Information Security Management System (ISMS).

ISO 27001 includes an annex (Annex A) listing 96 potential security controls, divided into 4 themes. However, not all of these controls are necessary or relevant for every organization. The organization must determine which controls are applicable to its particular situation.

In the SoA, the organization documents this decision, explaining which controls have been selected and why. This usually includes:

1. Controls selected for implementation.
2. Which controls were deemed unnecessary and why.
3. How are selected controls implemented?

The Statement of Applicability must be approved by the organization’s management, demonstrating its commitment to information security. It is also an essential element of the ISO 27001 certification audit, and must be regularly reviewed and updated to reflect the organization’s changing context, requirements and risk environment.

---

Risk analysis method summary

ISO 27005 provides a risk analysis methodology for information security. This method comprises the following high-level steps:

1. Context of the risk analysis: this defines the framework for the risk analysis, including the objectives of the analysis, the limits of the analysis and the criteria for the analysis.
2. **Asset identification **: this stage involves identifying the organization’s relevant information assets, such as data, systems, processes and people.
3. Threat identification: this involves identifying potential events that could cause damage to these assets, such as computer attacks, human error or natural disasters.
4. **Vulnerability identification **: this stage involves identifying weaknesses in information assets that could be exploited by identified threats.
5. **Risk assessment **: this involves evaluating the severity and probability of risks based on identified threats and vulnerabilities.
6. **Risk assessment **: this stage involves classifying the risks identified according to their severity and probability, and determining the appropriate safety measures to deal with them.
7. **Risk treatment **: this involves selecting and implementing appropriate security measures to deal with identified risks, such as security policies, technical controls or operational procedures.
8. Monitoring and review: this stage involves regularly monitoring and reviewing the security measures in place to ensure their ongoing effectiveness, and to identify changes in the organization’s environment that could affect information security risks.

---

Success criteria

In order to determine whether we have complied with clause 6.1 of ISO27001, here are a few questions an auditor might ask:

1. How do you identify information security risks? What criteria are used to determine which risks need to be assessed?
2. How do you assess the potential impact and probability of occurrence of identified risks? Do you have a defined risk assessment process?
3. How do you decide on the appropriate measures to deal with risks? Can you show examples of risks that you have decided to accept, reduce, transfer or eliminate?
4. Can you present your Statement of Applicability (SoA)? How did you decide which controls were appropriate for each risk? Can you explain why certain controls were not deemed necessary?
5. How do you regularly monitor and review risks? Do you have examples of risks that you have reassessed following changes in the organization’s environment?
6. How is management involved in the risk management process?
7. Can you present the documents, methods and results that demonstrate that you have implemented a risk management process, including the identification, assessment, treatment and review of risks?

---

I invite you to click on “Follow” to continue learning more about the field of information security.