If there’s one thing that all ISO management systems have in common, it’s the management of risk.
Whether it’s health and safety, quality, environmental management or - as in the case of ISO 27001 - information security, it’s all about making sure things don’t go as wrong as often as they would have done without a management system and, in the event things do go wrong, minimising the damage. Then, of course, applying the lessons learned. (We often refer to this approach as PDCA, or Plan Do Check Act.)
Since ISO standards have been re-written over the last decade or so, all sharing a common high level structure, there has been more emphasis placed on risk assessment.
Furthermore, in ISO 27001, clause 6.1.2 tells you that you must “define and apply” a risk assessment process. In other words, you need to come up with a way of assessing risk, then document it (so you can demonstrate your thinking to the auditor) and most importantly of all, actually follow through with it. It’s not just a document you file away for when I or one of my colleagues turn up with a clipboard.
So, what is the best way of doing this? The ISO 27001 standard doesn’t tell you. ISO standards rarely do tell you how to do things (it’s a common myth that ISO standards are prescriptive). But what it does say is that your risk assessment methodology should “produce consistent, valid and comparable results”. It’s a similar philosophy that applies to all aspects of management systems.
The first thing to get out of the way is the idea that you can achieve perfection with your risk assessment. That’s just not going to happen and the auditor won’t mark you down for it. Whatever you do, there will be some sort of guess work (the “unknown unknowns”). Aiming for perfection can result, ironically, in unworkable systems that are so complex staff can’t follow them and you get worse outcomes.
There are a number of approaches to developing a risk assessment.
- Many organisations go for an off the shelf product. There's nothing wrong with many of these but often there’s a learning curve which the user doesn’t have the patience for.
- Sometimes, organisations ‘borrow’ a system off a ‘friend’. But the chances are the fit isn’t a good one and without understanding the basic thinking behind its design, you’re on to a loser before you even start.
- Often, the risk assessment is created in-house by a single member of staff. It’s right that you should have some sort of ‘driving force’ but ultimately risk is everyone’s problem and risk owners will have to sign off on residual risks. They can’t do that if no-one explains what they have signed off on. (And what if that individual then has the temerity to leave?)
So, what you need is something understandable that helps managers make reasonable, informed management decisions. That’s the aim; to identify problem areas and what you can do about them.
You don’t need to over-complicate this.
It could be that one of the above solutions suits your management approach and the needs of your system, but if it doesn’t, then try this:
- Get all the managers together and lock them in a room for a while and get them to shout at each other a bit. Come to some sort of consensus and then work from there.
I know that sounds a bit chaotic (and there’s risk of violent injury...) so before you do that, one of the first things is to make sure everyone in that room understands the terminology:
It’s not uncommon for people to mix these things up and get confused as to which is which. I’m not going into the definitions here, but it’s important you do your homework on it.
You then need to decide what you’re aiming for. Perfect security is impossible. What are the most important things to your organisation? What is your risk appetite? How much money do you have to spend? What are the resources you have?
And don’t forget that information security is about CIA. That’s ‘Confidentiality’, ‘Integrity’ and ‘Availability’ of information. You need to include all three of those - they aren’t optional.
And a final tip: the risk assessment does not have to be numbers based. You don’t have to be a statistician to do this exercise. I have seen good methods without numbers and bad ones with.
Ultimately, remember that the risk assessment is there as a tool to help you make decisions, not a stick to beat yourself with.