Within the context of ISO 27001, risk comes up as a topic all over the place. The standard itself, as most of ISO standards nowadays do, proclaims itself to be risk-driven. But what does this come down to? Not surprisingly, it is more than just having a workshop about “our risks and what to do about them”.
Let’s look into to subject of risk from a practical viewpoint.
Risk management - practical steps
1. Risk appetite
2. Security objectives
3. Risk register
You start your risk register by just listing a long list of risks. Yes, ChatGPT can assist you in generating a very long list indeed, and if you chose to go down that path, remember you will just face a very long list to process down the line. Live and learn. Anyway, when you initialize the risk register, start by listing the risks – don’t worry about owners, action plans or impacts & probabilities just yet.
4. Risk methodology
5. Risk assessment
6. SoA - Statement of Applicability
As you now have touched the topic of ISO27002, it is good to realize that this is also the first step in prioritizing how much work should be put into each control. Controls related to risks (and thus also enabling the achievement of your objectives) are of course the most important ones. If you have already started to approach ISO27002 in a “top-to-bottom” manner, please stop now.
Of course, your objectives are most likely related to your assets – and so will your risks be. This is a good time to also map out which assets are the most risky ones in your company. Again, apply controls in your SoA to the assets as well. You may want to go back to the risk register and link the most important assets to your risks while you are at it.
So what have we achieved? We have a holistic approach to risk management, where you can now see that your identified risks and the way you want to mitigate them actually act as drivers for the management system, its objectives and its goals. Risk will drive all your activities. This approach will most likely also prohibit you from spending precious resources on things that are secondary in nature. In addition, your SoA has become a very practical governance tool.
And now, it all makes sense.