Deciding on your ISO 27001 Certification Risk Treatment

April 8, 2021 / by Frederid Palacios

Earning your ISO 27001 certification is an excellent tool for improving your organization's information security management system. Data security is highly crucial for all companies, and this certification is instrumental in improving it and providing you with the acknowledgment for superior security standards. With the ISO 27001 certification, you will be able to confidently display your information and data security while improving the operations of your organization.

Security concept Lock on digital screen, illustrationWhile the process of earning the certification is lengthy and involves several in-depth security audits, it is worth the work. One of the first steps in achieving this certification is performing an internal risk assessment on your organization. This step includes identifying risks within your organization, which is necessary to eliminate vulnerabilities.  Following this assessment, you need to perform a risk treatment. The purpose of the treatment is to control the risks identified during the assessment, which often involves decreasing risks by reducing the likelihood of an incident or reducing the impact on assets. There are several options when completing a robust risk treatment, each of which caters to risks differently. We will walk you through these options and their implications to best determine the right treatment plan for you.


Before Risk Treatment

Prior to the risk treatment, you should be aware of the primary inputs of risk in your organization. This will include the risk management methodologies and unacceptable risks from the assessment conducted. Additionally, you should include your budget for the current year as an input, as risk mitigation may require an investment on your part. Following this, you should select new controls for mitigating risk. There are essentially three types; defining new rules, implementing new technology, and changing the organizational structure. When defining new rules, they should be documented through plans, policies, procedures, and instructions, although the less complex processes may not require documentation. In terms of implementing new technology, you may consider obtaining backup systems and disaster recovery locations for alternative data centers. These will be vital in mitigating the risk of lost or breached data. The third control is altering your organizational structure. In some cases, this could involve introducing a new job function or changing the responsibilities of an existing position to ensure that all necessary operations are being monitored and managed efficiently.

Cyber Security as a Competitive Advantage

Treatment Options

Following your risk assessment, you will have a list of unacceptable risks that you need to address. One by one, you need to decide how to treat each risk, and we'll take you through the most common options for doing so. First, you can choose to decrease the risk. This is the most common option and usually the most feasible. Reducing risk includes the implementation of safeguards or controls. A basic example of this would be to install fire suppression systems to decrease the risk of a catastrophic fire. Other examples may be implementing backup systems or ensuring that more than one personnel person understands the procedures and policies in place should they leave the company. Another option for treatment, if you deem it feasible, is to avoid the risk altogether. This can be more challenging but is a good option for risks that are too big to mitigate with other options. Avoidance would mean that you entirely stop performing the task or process. If the risk of unauthorized access to company laptops is too high, you may consider banning the usage of these laptops outside of the office. While avoiding the risk is the most effective option, it is not possible for every risk.

If it is not feasible to decrease or avoid a particular risk, an alternative is to share the risk. In sharing the risk, you transfer the risk to another party, just as you would when buying an insurance policy. This method allows you to share the financial risk should a risk occur, although it does not influence the incident itself. For this reason, it is best to use this option in coincidence with another treatment method rather than on its own. For example, an insurance policy against fire will mitigate the expenses of fire damage but will do nothing to prevent a fire from occurring. For the final risk treatment option, you may consider retaining the risk. This is typically the least desirable option. Retaining the risk means that your organization will accept the risk without doing anything about it. While not recommended, this option should only be used if the mitigation cost would be higher than the cost of damage should an incident occur.

Once you have determined treatment options, you can backtrack and assign controls to each risk. It can be a bit challenging to determine which controls you should select, but it will clarify procedures in the future if done thoroughly. While you may not want to include an extensive circle of people, as responsibilities may get confused, you should determine the responsible party for each risk or task. This may look like a chart that lays out assets, threats, vulnerabilities, treatment options, means of implementation, and those responsible. For example, if you deem company laptops an asset, the threat would be access by unauthorized persons, and the vulnerability being an inadequate password. If you choose to decrease the risk as a treatment option, you should implement it by writing a password policy to ensure more secure passwords. Alternatively, you could choose to avoid the risk and ban the use of laptops outside of the company premises. This is just one example of selecting controls for treatment plans, but it should be done with all company assets that are vulnerable to risks.


Consider your Options

Overall, when determining treatment plans to mitigate risks, you should consider every option. Typically, the easiest or first option you choose will be the most expensive – and it may not even be the best option for the risk at hand. For this reason, get creative and consider alternative treatments to each risk before determining the most effective and realistic. You should determine how to treat risks with the most minimal investment possible. While it may be safer to use the most expensive treatment plan for each risk, this is not practical for most organizations.

Additionally, you must ensure that these treatment plans will be carried out correctly for them to be effective. If you write a new policy, ensure that all team members are aware of it and take the proper steps to conform to it. Otherwise, the policy is useless, and you are not mitigating any risks. Risk treatment is a process – but it is one worth the time and expense. It is important to remember that while this may seem like a strenuous and inconvenient task, it is to protect your organization. Deciding on your risk treatment plan will bring your company one step closer to earning your ISO 27001 certification. With this certification, not only will you significantly upgrade the strength of your ISMS, but you will be widely recognized as a company that prioritizes security. This recognition will help you obtain new customers, retain current customers, and ensure that your operations are running as smoothly and securely as possible. Security is an investment, but if there is any investment to prioritize, it’s this one.

contact us

Tags: Cyber Security

Frederid Palacios

Written by Frederid Palacios

Fred Palacios is a seasoned software architect with more than 20 years of experience participating in the entire software development cycle across a host of different industries--from automotive and services to petroleum, financial, and supply chain. In that time, his experience working closely with high-level stakeholders has provided him with a strategic vision for developing the right solutions to flexibly meet critical business needs. As CTO of Intertec, he's continuing to focus on the creation of business-critical applications for large enterprise projects, particularly those that handle high concurrency and large datasets. He is passionate about using technology as a tool to solve real-world problems and also mentoring technical teams to achieve their maximum potential and deliver quality software.

Leave A Comment