ISO/IEC 27001 | Documents Kit

Management systems for information security

How to assess the information security risks in the company pursuant to ISO 27001

You are here: Home / ISO/IEC 27001:2017 Management System / How to assess the information security risks in the company pursuant to ISO 27001

We attribute a risk value to each type of information processed by the company. The risk depends on the probability of a negative event occurring and on the economic value that the company recognizes the information exposed to the event

Proceeding as illustrated below you will be able to carry out the information security risk assessment in a scientific manner. You will document in a simple and concise “the levels of risk for information” in correspondence with the business processes that provide for their treatment.

The path we suggest is the following:

  1. It divides the processes into categories (in reaction to the importance of the information processed)
  2. Identifies the dangers to the information present in the processes (context analysis is essential)
  3. It determines the value of the risks of loss of confidentiality, integrity and availability of the information present in the processes

As regards the first point, in the example below, the company has divided its business processes into three categories.

  • Primary processes (those that characterize the typical activity of the organization (business) and that govern the operational activities related to the provision of the service and production
  • Support processes (those that allow you to manage the activities of the information security management system)
  • Security processes (those that allow you to apply security controls to processes, information and assets)

Probability of the event happening, possible values: 1,2,3,4 (unlikely, occasional, probable, very probable)

Consequence and extent of damage resulting from the event, possible values: 1,2,3,4 (mild, medium, severe, very serious)

Risk: up to and including 3: low; 4 to 8 inclusive: medium; 9 to 16 inclusive: high

Acceptability: up to 3 inclusive (if greater than 3, the application of additional controls is required)

To this assessment of the risks present in the primary processes must be added that relating to the risks present in the support processes and in the safety processes.

To control the risks identified, the organization will apply the controls listed in Annex A of the ISO 27001: 2017 standard through management procedures and safety procedures.

CLOSE

CLOSE