Information security management is now more important than ever, which is why so many companies are looking to earn their ISO 27001 certification. While it is well worth the effort, working towards your ISO 27001 certification can be a lengthy process – and a complicated one at that. The purpose of this certification is to mitigate the risks already present within your organization to achieve an optimized standard of information security. One of the most significant aspects of this certification is conducting an internal audit which must be done within your organization to determine the current level of risk you are undertaking. Within this audit, you must prepare several documents outlining these risks, one of which is the risk treatment process in which you determine how you will treat each risk. While this is a crucial document within the ISO 27001 certification, it is often confused with the documentation produced as the result of the risk treatment plan. Both of these steps are crucial to the ISO certification, but how do they differ? We will discuss the critical differences between the risk treatment plan and the risk treatment process to ensure that you thoroughly and accurately complete each step of the ISO 27001 certification process.
Risk Treatment Process
Prior to the risk treatment process is the risk assessment. This is the step where you identify risks and determine their priority of being mitigated, which leads us into the risk treatment process. The main task in this step is to select one or more options for treating each unacceptable risk. For each risk, there are four options that you can take.
- Decrease the risk. To do this, you should implement security controls that minimize the risk. This could mean implementing a secondary authentication process to access data or switching to private data servers or networks if you face the risk of exposed data. This option could also mean installing fire extinguishers and a sprinkler system to decrease the risk of a damaging fire.
- Transfer the risk. Another option is to transfer the risk to another party or share the risk. By sharing the risk with an insurance provider, you can mitigate the risk of costly damage from disasters such as fires, floods, or robberies. This will not protect your organization from the risk itself, but it will allow you to share the cost of potential damage.
- Avoid the risk. To avoid risk altogether, you must cease the behavior that is causing the risk or find another way to achieve your goal that does not cause the risk. If you face risks from employees taking company laptops off-premises, perhaps implement a rule that company laptops with private data cannot leave the office, thus eliminating the risk.
- Accept the risk. This should only be an option if the cost of mitigating the risk would be higher than the damage itself, but it is usually not the most favorable option. Should you choose this, prepare for the potential of facing this risk in the future.
The risk treatment process is usually done in the form of a simple sheet where you link mitigation options and controls to each unacceptable risk. Alternatively, this could be completed with a risk management tool if you are already using one. According to the ISO 27001 guidelines, it is required to document risk treatment results in the risk assessment report, which are the main inputs for writing your Statement of Applicability. So, while the risk treatment process coincides with the other steps of the certification, the results of risk treatment are not directly documented in the risk treatment plan.
Risk Treatment Plan
Once your risk treatment process is complete, it’s time to move on to the risk treatment plan, which can only be written after the Statement of Applicability is finished. It's easier to think of the risk treatment plan as an "action plan," in which you need to specify which security controls you need to implement, who is responsible for each control, what the deadlines are, and which resources are required. You should begin with risks of the highest priority before moving onto medium and low priority risks to ensure that your company's most significant dangers are handled first. But before writing this document, you must make these decisions – hence needing to complete the State of Applicability prior. The Statement of Applicability (SoA) forms a fundamental part of your information security information system (ISMS) and is one of the most important documents you will need to develop. It will show the relationship between the applicable and implemented Annex A controls given the risk and information assets in the scope of your ISMS. This may seem like an extra or unnecessary step, but it ensures that you have a comprehensive picture of information security in your organization. There are many controls to consider, including legal, regulatory, and contractual requirements that must be followed, so the SoA serves as a preliminary checklist. Once you outline these details, you can begin planning.
So, what exactly goes into the risk treatment plan? As stated, this is where you will clearly define the controls used to implement the option you have chosen for each risk. So, if you have decided to minimize the risk of unauthorized data access on company laptops, you need to outline how that will be enforced. You should clearly define who is responsible for the execution of that control, and the more specific that better. Furthermore, you need to detail the target date for when that control will be implemented and how you will communicate this new regulation with other team members. Once this is complete, you must document the control and continuously regulate it.
Overall, obtaining your ISO 27001 certification is a hefty task, and the process can get confusing. It's important to remember that while striving for this certification, you are improving your organization's information security management system, which comes with a plethora of benefits. In addition to achieving optimized security, you are equipping your company with an internationally recognized certification that establishes you as an organization that prioritizes security. There is a reason that an ISO-compliant ISMS is superior to other security standards, and it's because it works. With an ISO certification, you can ensure that you are adhering to all legal security standards by partnering with an accredited certification body, reaching higher standards of security than ever before. This will translate into how you handle sensitive data and information and will pay off for you and your customers. With optimized security, you will find yourself facing fewer security breaches, avoiding costly misconfigurations and damages, all through enhancing how you mitigate risk.
