Risk Assessment

While the organization has a number of security controls in place, they have a significant lack of documented policies, standard, and processes/procedures.  We are not specifically calling out in the risk assessment the lack of documentation, and maybe we should.

When completing the risk assessment, I believe we are closely following the advice from the videos and blogs on your site.  For example, rather than listing out all of the assets during this initial risk assessment, we are grouping the assets into “asset categories” where very similar assets will have the same threat & vulnerability pairs.  We are selecting 2 or 3 threats for each asset and 2 or 3 vulnerabilities that can act on each of those threats.  Due to existing controls (while undocumented ), the subject matter experts are categorizing many of the risks as acceptable (score of 0, 1, or 2) and only about 25 of the risks as unacceptable (score of 3 and 4).

When moving from the risk assessment to the risk treatment, I am a little confused.  We intuitively know that the organization expects to have 107 of the 114 ISO 27001 controls in place when the project is complete.  They are using many of those controls today.  However, as I mentioned, the organization has a significant lack of documented policies, standard, and processes/procedures.

How do I create the association between the risk assessment and the controls selection when there are only about 25 risks being identified?  Should the risk assessment include a vulnerability like “inadequate documentation of policy, process, and standards”?  That would significantly increase the number of identified risks that need treatment, even if the treatment is simply creating the documentation around the controls.

Does there have to be a direct correlation between the risk assessment and all of the controls selected in the SOA?

If my email is confusing, perhaps we can have a conversation.

Answer: First you have to remember that to treat a risk you can use more than one control. In general, the controls are combined in this way:
- You establish policies, to define and formalize the rules and behaviors that are expected to be followed (e.g., information security policy, access control policy, backup policy, etc.)
- You establish procedural, physical, and technological controls to enforce the policies (e.g., incident management process, physical and logical perimeters, two-factor authentication for access control, etc.)

So, depending on the identified risks, you may have one or several controls associated to them, which may cover the 107 controls you are expecting. For example, for a risk of loss of data stored on servers due to a ransomware attack, you can consider the application of controls A.12.2.1 Controls against malware and A.12.3.1 Information backup.

Regarding the lack / inadequacy of documentation, you can consider it as a single systemic vulnerability (this way it will not increase much the number of risks to be treated) and consider for the risks related to it the application of controls A.5.1.1 Policies for information security and A.5.1.2 Review of the policies for information security.

Finally, the controls defined in the Risk Treatment, as well as those identified as implemented in the Risk assessment, must be identified as applicable in the SoA. Additionally, some controls can be marked in SoA as applicable even though they were not identified in risk treatment - in this case the reason for selection could be e.g. “good practice “.

These articles will provide you further explanation about risk assessment and treatment:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment and treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/