Risk Management – What is it and What Role Does it Play in ISO 27001?

What is ‘Risk’?

Here’s an interesting challenge.  Ask 5 of your colleagues to tell you what they understand by risk, and we’ll be very surprised if you get the same answer, nor would we be surprised if some struggle to answer the question at all. Let’s see how the international standards define risk, starting with ISO 31000 the International Standard for Risk Management – Principles and guidelines.

The Standard defines risk as the ‘effect of uncertainty on objectives’.  We find this definition a little nebulous, which is probably not surprising given the universal nature of ISO 31000 and that it addresses all types of risk. However, ISO 27000 expands on the ISO 31000 definition and comes up with something more substantial and specific i.e., ‘Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization’.

Implicit in this definition is that in order for a risk to exist there must be something that we care about, in this case, information and, more specifically, the confidentiality, integrity and availability of information. You can also see the importance of viewing risk from the perspective of achieving business objectives.  If you’re a healthcare services provider, for example, and your goal is to win and maintain more clients, it’s imperative that you protect the confidentiality of any personal data.

Once you have identified that it is the confidentiality of personal data you particularly care about, you can then start to look at the threats and vulnerabilities that could lead to a breach of confidentiality of personal data.

What is Risk Management?

OK, let’s start with the ISO 31000 definition, which is the ‘coordinated activities to direct and control an organisation with regard to risk’. To expand on this, we are looking at activities which allow us to better identify, analyse and evaluate risks and allow us to manage them proactively in order to minimise any possible damage and maximise any opportunities.

The last point is important, in that whilst risk generally has a negative association, there can be positive outcomes. If your organisation, for example, has a well-developed risk management process in place, this can provide you with a competitive advantage viz-a-viz your competitors, e.g., evaluating whether it would be advantageous to enter a new market.

Without a robust risk management process, you could either miss the opportunity or enter the market blindly, hoping that it pays off.

Why is Risk Management Important to Information Security?

The confidentiality, integrity and availability of our information assets are threatened by a vast array of internal and external threats and there is no way we can protect ourselves against every potential threat. In essence, risk management enables us to target our efforts and security measures where they are most needed and are going to give us the best return for our investment.  This is naturally important, as none of us have unlimited resources, be that finances, manpower, competence or time.

There is also the other aspect to consider – even if we did have unlimited resources, and we apply information security controls indiscriminately, productivity would almost certainly suffer. As per URM’s strapline, it’s all about getting the balance right and in this case, it’s about achieving the optimum trade-off between security and productivity.  There really can be too much security!

The key aspect to risk management is that it enables organisations, in a world of uncertainty, to make informed decisions about which risks are considered the most urgent to address.  Essentially, the ones which present the greatest danger to the most valued information assets taking into account likelihood and impact.

‍

Why is Risk Management so Important to ISO 27001?

By adopting a risk-based approach, ISO 27001 acknowledges that organisations are all different, e.g., in size, industry sector, ownership, organisational structure, maturity, business objectives, risk appetite, culture. Not only that, but the Standard also takes account of the fact that we are all operating in a dynamic, changing environment, where some are growing and others are consolidating.  We are all subject to external changes, such as regulation or legislation changes and the emergence of new competition and new opportunities.

Threats to our information assets are also changing and nowhere more so than in the cyber world.  We are constantly under attack from new scams or old scams with a new twist, all aimed at gaining unauthorised access to our information, our most valuable asset.

ISO 27001 clearly recognises that there is no ‘silver bullet’ or ‘one size that fits all’ solution to information security.  As such, it does not prescribe any specific controls (just a set of 114 controls (consolidated into 93 in the 2022 version of the standard) we can consider).  What it does, however, is to prescribe a continual improvement management system which has risk assessment and risk treatment at its heart. Thereby, we can all proactively implement a set of security measures which are tailored to our specific information assets and the threats to those assets, whilst at the same time allowing us to factor in things such as business objectives and risk appetites.

What is Information Security Risk?

Information security risk is simply a combination of the impact that could result from a threat compromising one of your important information assets and the likelihood of this happening.

ISO 27001 Risk Management Framework – Implement, Certify and Comply

There are several discrete stages of an ISO 27001 risk management methodology.  First of all, it is important to understand the information security context of your organisation. Once this has been achieved, you can perform a risk assessment which includes the need to identify your risks, analyse them and evaluate them.  You then need to determine a suitable treatment for the risks you have assessed and then implement that treatment.  

It is vitally important that you do not see this as a one-off exercise.  Your risk management methodology should be designed to be iterative. This enables you to not only review the status of risks you have previously identified, taking into consideration any potential changes in context, but it also enables you to identify new risks.

ISO 27001 Risk Management – Risk Appetite, Risk Tolerance, Risk Capacity - what’s the difference?

There is frequent misunderstanding regarding the above terms, but it is important to understand the differences between each term - and every organisation’s consideration of each will be different:

• Risk appetite is quite simply the amount and type of risk you are will to accept in order to allow your business operations to proceed.
• Risk tolerance is the amount of deviation from the risk appetite that a business considers to be acceptable.
• Risk capacity is the amount of risk a business can absorb before it ceases to exist.

These factors are important because too much security can sometimes compromise your operational viability, whereas too little will reduce the confidence of your stakeholders.

Some types of organisation are willing to take more risks than others.  For example a hedge fund manager is likely to take more and greater risks in order to make greater profits over a short space of time, a pension fund manager would generally prefer a more conservative approach and consider less risk, steady growth options.

‍