Developing a Risk Assessment Methodology for your ISO Certification

March 16, 2021 / by Frederid Palacios

Data security should be a priority for every organization, and one of the most efficient means of achieving this is through obtaining an ISO 27001 certification. This certification models a framework for all controls that an organization will use to define their information security management system, informing all stakeholders in the company how you plan to establish and implement risk management. Before you can earn this certification, a few significant tasks must be completed, the most notable being an internal risk audit.

illustration of set of hazardous symbol on grey background


What is a Risk Assessment?

Much like a traditional IT audit, the ISO 27001 certification requires you to complete a risk assessment. This includes requesting documents, preparing an audit plan, scheduling opening and closing meetings, and more, all to identify the current status of your company’s risk management system. The results of this assessment will determine if you are eligible for the ISO certification, so it is imperative that you follow the process correctly.

A significant portion of this audit is assessing your company's security equipment, systems, protocols, and procedures to ensure that they comply with industry standards. This will also identify any significant vulnerabilities in your organization so that you may resolve them to defend against data breaches. Cybersecurity breaches are a growing issue, primarily as a result of cloud misconfigurations. With more and more companies implementing cloud-based solutions, it is crucial that you identify and address holes in your security to prevent devastating breaches of data.

In properly conducting a risk assessment, you will review, assess, and correct your security systems, creating a safer infrastructure and preparing you for your certification. The risk assessment is the first step to your entire risk management structure, so it is crucial that you determine a methodology that will guide you through a thorough and accurate risk audit.


Risk Assessment Methodology Requirements

The ISO 27001 certification lays out a small list of requirements that an organization must adhere to when determining its information management system's security. In following these requirements, you are equipping your company to develop an in-depth risk assessment methodology and achieve your certification.

First and foremost, specify the process by which you will identify risks and vulnerabilities that could compromise the confidentiality, availability, or integrity of your data. The best way to do this is through listing all threats that you detect and then discuss how you will identify the risk owners. The risk owner should be a team member with the training, knowledge, and ability to handle the risk, in addition to the authority to accomplish the task.

Next, identify the criteria you will use to gauge the likelihood of risk occurrence and the consequences of these risks, should they happen. A good practice for this task is to determine risks and rate them as either a low, medium, or high priority, or rate them numerically. This will give your team a better visual and clarify which risks you should address first as you move forward. Following this, recount how you will calculate risks. This should help you determine the criteria used to accept risks, and organizations should typically start with those labeled as a high priority.

Fulfilling these requirements in detail will strengthen your information security management system, providing you with the qualitative or quantitative framework necessary to measure success. Once in place, you can move on to establishing a risk treatment plan.  


Treatment Plan

Once risks have been identified and prioritized according to their threat level, you must determine how to treat these risks. As stated, you should address risks of the highest priority first using one of four options;

  • Implement security controls to minimize the risk. In altering current procedures, you can mitigate risks. Possibilities could include implementing a secondary authentication process to access data or switching to private data servers or networks.
  • Change ownership of the risk through transfer. This may mean transferring the risk to your insurance provider.
  • Avoid the risk. Cease the behavior that is causing the risk or find another way to achieve your goal that does not cause the risk.
  • Accept the risk. This may not be the most optimal solution, but some risks cannot be avoided. If you understand the potential consequences of a specific risk, it is possible to accept. With this in mind, prepare for the potential of facing this risk in the future.

After applying these protocols to your most concerning risks, you can then move on to low and medium-priority risks until all pressing risks have been addressed.

Cyber Security as a Competitive Advantage


With your risk assessment methodology and treatment plan established, you can begin the implementation. The first step is writing a risk assessment report. Following the identification, ranking, and treatment of risks, you must now chronicle activities in an ISMS Risk Assessment Report. The report is designed to create a tangible statement to show stakeholders or later use in future compliance and third-party audits. Essentially, the report will detail the requirements and plans listed above.

Additionally, you will need to write a statement of applicability. This document details all of the security processes implemented as a result of your risk assessment. You will also need to explain your reasoning for putting these processes in place and how they will work. The statement of applicability is a vital component of any third-party certification audit, ISO 27001 included. View this statement as an opportunity to demonstrate your data and security strength and your compliance with ISO 27001 standards.

Now that all preliminary measures have been established, it’s time to implement your strategies. These strategies will detail how you will assess and address risks to protect your hardware, software, network, and human assets. For each of these goals, you should establish a plan. Determine the responsible parties for each goal, target dates, cost, and the budget that funds will be taken from. Using this framework as a guide, you will have a clear path to a defined risk assessment methodology.


Strategy for Success

The risk assessment your team produces will reflect your organization's view on the risks you face. The evaluation you conduct must deliver consistent, robust, and verifiable information for it to be of use to you. In detailing the risks you face with strategies to reduce them, you create your own framework for risk management, so it is a task to be taken seriously. Reports should be precise regarding what tasks need to be completed, their deadline, and who is responsible. These details will ensure that team members are accountable and aware of their roles. It may seem daunting to create and implement your own security framework, but the work that you do from the front-end will pay off and simplify your security management in the future. With well-defined assessments and plans, you will achieve greater security and accountability with fewer compliance errors.

Consider your risk assessment methodology as a tool and equip your organization with the most robust tools possible. Following these protocols and requirements will prepare your company to meet ISO 27001 standards and bring you one step closer to achieving an instrumental certification in security.

contact us

Tags: Cyber Security

Frederid Palacios

Written by Frederid Palacios

Fred Palacios is a seasoned software architect with more than 20 years of experience participating in the entire software development cycle across a host of different industries--from automotive and services to petroleum, financial, and supply chain. In that time, his experience working closely with high-level stakeholders has provided him with a strategic vision for developing the right solutions to flexibly meet critical business needs. As CTO of Intertec, he's continuing to focus on the creation of business-critical applications for large enterprise projects, particularly those that handle high concurrency and large datasets. He is passionate about using technology as a tool to solve real-world problems and also mentoring technical teams to achieve their maximum potential and deliver quality software.

Leave A Comment