WE/NIS - What is ISO 27001 and Risk Management

Security Policy

A security policy is a set of documented rules, guidelines, and procedures that define how an organization manages and protects its information assets. It serves as a foundation for establishing and maintaining a secure environment, outlining the organization’s approach to information security, and guiding employees in their responsibilities to safeguard sensitive information.

ISO 27001

ISO 27001, or ISO/IEC 27001:2013, is an international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring the confidentiality, integrity, and availability of data. ISO 27001 is designed to be adaptable to various types and sizes of organizations.

Components of ISO 27001

  1. Scope Definition
      • Clearly defines the boundaries and extent of the ISMS implementation.
      • Provides a clear understanding of what information assets and processes are included in the ISMS.
  1. Risk Assessment and Treatment
      • Identifies and assesses risks to information security and develops strategies to manage or mitigate those risks.
      • Helps organizations understand potential threats, vulnerabilities, and impacts on information security.
  1. Security Policy
      • Establishes a comprehensive information security policy that outlines the organization’s commitment to information security.
      • Serves as a foundation for the organization’s approach to protecting sensitive information.
  1. Organizational Structure and Responsibilities
      • Assigns roles and responsibilities for information security within the organization.
      • Clarifies who is responsible for various aspects of information security, ensuring accountability.
  1. Asset Management
      • Identifies and classifies information assets based on their importance and sensitivity.
      • Enables organizations to prioritize their efforts and resources for protecting critical information.
  1. Human Resources Security
      • Addresses the security aspects of employee onboarding, job changes, and offboarding.
      • Ensures that employees understand their information security responsibilities and that risks associated with personnel changes are managed.
  1. Physical and Environmental Security
      • Addresses the security of physical facilities and equipment.
      • Safeguards against unauthorized access, damage, and interference with information systems and assets.
  1. Communication and Operations Management
      • Focuses on secure information exchange and day-to-day operational procedures.
      • Ensures that information is handled securely during normal operations.
  1. Access Control
      • Manages access to information assets based on business and security requirements.
      • Ensures that only authorized individuals have access to information and resources.
  1. Information Systems Acquisition, Development, and Maintenance
      • Integrates security into the development lifecycle of information systems.
      • Ensures that new information systems are secure and that security is maintained during system changes.
  1. Incident Management
      • Addresses the preparation and response to information security incidents.
      • Minimizes the impact of incidents by having effective response and recovery procedures in place.
  1. Business Continuity Management
      • Ensures the availability of critical systems and data during disruptions.
      • Minimizes the impact of disruptions on the organization’s ability to deliver products or services.
  1. Compliance
      • Ensures compliance with relevant laws, regulations, and contractual obligations.
      • Demonstrates that the organization is meeting legal and regulatory requirements related to information security.

Each of these components is essential for the effective implementation and maintenance of an ISMS based on ISO/IEC 27001. Organizations need to tailor these components to their specific context, ensuring that they address the unique risks and requirements they face.

Implementation of ISO 27001

  1. Obtain commitment and support from top management.
  2. Clearly define the scope of the ISMS.
  3. Identify and assess risks to information security.
  4. Establish a set of comprehensive security policies.
  5. Put in place controls to mitigate identified risks.
  6. Educate employees about information security.
  7. Implement monitoring processes to track the effectiveness of the ISMS.
  8. Regularly conduct internal audits to ensure compliance.
  9. Periodically review the ISMS for effectiveness and improvement.

Benefits of Implementing ISO 27001

  • Enhances the overall security posture of the organization.
  • in complying with relevant laws and regulations.
  • Builds trust with customers, partners, and stakeholders.
  • Systematic approach to identifying and managing risks.
  • Demonstrates commitment to information security, providing a competitive edge.

Challenges of Implementing ISO 27001

  • Requires significant time, effort, and resources.
  • The standard can be complex, especially for smaller organizations.
  • Employees may resist new policies and procedures.
  • Ongoing efforts needed to maintain compliance.
  • Standard may require customization to fit specific organizational needs.

Risk management

Conducting risk management in ISO 27001 involves a systematic process of identifying, assessing, and treating information security risks to achieve the objectives of an organization’s Information Security Management System (ISMS).

  1. Establish the Context
    • Define the scope of the risk management process.
    • Identify the external and internal context that can affect information security.
  1. Risk Identification
    • Identify assets: Determine the information assets within the scope.
    • Identify threats: Recognize potential events that could compromise information security.
    • Identify vulnerabilities: Understand weaknesses in the organization’s systems and processes.
    • Document risks: Compile a list of potential risks to information security.
  1. Risk Assessment
    • Evaluate the likelihood and impact of each identified risk.
    • Use a risk assessment methodology to assign risk levels.
    • Prioritize risks based on their significance to the organization.
  1. Risk Treatment

Select risk treatment options

    • Avoidance: Eliminate or withdraw from the risk.
    • Mitigation: Reduce the likelihood or impact of the risk.
    • Transfer: Shift the risk to a third party.
    • Acceptance: Acknowledge and live with the risk.
    • Develop a risk treatment plan for each selected option.
  1. Risk Acceptance
    • Clearly document reasons for accepting certain risks.
    • Obtain approval from relevant stakeholders for accepting residual risks.
  1. Risk Communication
    • Communicate risks and treatment plans to relevant stakeholders.
    • Ensure that everyone involved understands their roles and responsibilities.
  1. Monitoring and Review
    • Regularly monitor and review the effectiveness of risk treatments.
    • Update risk assessments based on changes in the organization’s context.
  1. Documentation
    • Document the entire risk management process, including identified risks, assessment results, and treatment plans.
    • Maintain records for auditing and compliance purposes.
  1. Integration with ISMS
    • Integrate the risk management process with the overall ISMS.
    • Ensure alignment with other ISMS components such as policies, controls, and objectives.
  1. Continuous Improvement
    • Continuously improve the risk management process based on lessons learned and changes in the business environment.
    • Adjust risk assessments and treatments as necessary.

Example of doing risk management

Let’s create a simplified risk assessment table for some risks. In this example, we’ll use a basic qualitative approach to assess the likelihood and impact of each risk on a scale from 1 to 5 (1 being low, 5 being high).

Risk Assessment Table

Risk Event Likelihood (1-5)  Impact (1-5)     Risk Level (Likelihood x Impact)  Risk Treatment OptionsResidual Risk Level
Virus infection4312Implement antivirus software and regular updates2
SQL Injection3412Employ secure coding practices, input validation2
Theft of Computer equipment2510Implement physical security measures, asset tracking1
Hacking                     4416Regularly update and patch systems, implement firewalls 3
Social Engineering3515Conduct employee training, establish strict access controls 2


  • Likelihood (1-5): Represents the probability of the risk event occurring, with 1 being low and 5 being high.
  • Impact (1-5): Indicates the potential consequences of the risk event, with 1 being low and 5 being high.
  • Risk Level (Likelihood x Impact): Obtained by multiplying the likelihood and impact scores, provides a relative measure of risk.
  • Risk Treatment Options: Suggested measures to mitigate or manage each risk.
  • Residual Risk Level: The level of risk remaining after applying risk treatment measures.

In this example, the organization might decide to implement antivirus software and regular updates to mitigate the risk of viruses. Similarly, specific measures are proposed for each risk. The residual risk level reflects the organization’s assessment of the risk after the chosen treatments. Keep in mind that this is a simplified example, and in a real-world scenario, a more detailed and quantitative risk assessment might be conducted for a comprehensive understanding of the risks and their impact.