ISO / IEC 27001: 2013, Risk Assessment and Risk Treatment (in Brief)

Key to the ISMS is the documentation of risks.  It is important to see the company’s strengths and weaknesses in terms of managed risks. 

There are six steps to Risk Management:

  1. Define the methodology (Quantitative v Qualitative) and scoring method. Ensure this is relevant to the corporate context.

  2. Implementation (Assessment):

    1. Define Assets.

    2. Threats.

    3. Vulnerabilities.

    4. Impact.

    5. Likelihood.

    6. Analyse, Evaluate & Prioritise according to corporate appetite.

  3. Implement Treatment:

    1. Prioritise.

    2. Apply Controls from Annex A.

    3. Treat.

    4. Transfer.

    5. Terminate.

    6. Tolerate residual risk.

  4. Risk Assessment Report.

  5. Statement of Applicability:

    1. Creates the corporate risk profile.

    2. Justification for not using a control.

    3. Key document for the auditor.

  6. Risk Treatment Plan. Attribute:

    1. Control definition.

    2. Ownership.

    3. Implementation timescales.

    4. Measure of outcome (success or failure).

07927451 - Incorporated on 27 January 2012

2 Lancaster Close, Bournville, Birmingham, England