Overview: ISO 27001 requirement 8.2

1. What is the 8.2 clause of ISO 27001? 
   
   
2. What is ISO 27001 clause 8.2 information security risk assessment? 
   
   
3. Asset-based risk management vs. scenario-based risk management 
   
   
4. What are the key aspects of clause 8.2? 
   
   
5. FAQs 

ISO 27001 is an international standard that provides a framework for managing information security. It is designed to help organisations protect their information assets from a variety of threats, including unauthorized access, use, disclosure, modification, or destruction.

Clause 8.2 of ISO 27001 is concerned with information security risk assessment. This clause requires organisations to identify, assess, and control the risks to their information assets.

What is ISO 27001 clause 8.2 information security risk assessment?

ISO 27001 clause 8.2 information security risk assessment is titled "Information security risk assessment". Information security risk assessment is a critical process for any organization that wants to protect its data and systems. By identifying and assessing risks, organizations can take steps to mitigate them and prevent security incidents from occurring. A risk management process should be following:

• Systematic
  
  
• Documented
  
  
• Regularly reviewed and updated.

Asset-based risk management vs. scenario-based risk management

There are two main types of information security risk assessment: asset-based and scenario-based.

Asset-based risk assessment focuses on identifying and assessing the risks to specific information assets, such as customer data, financial data, and intellectual property.

Asset-based risk management process

Asset-based risk assessment typically involves the following steps:

1. Identify the information assets that need to be protected.
   
   
2. Identify the threats and vulnerabilities that could affect each asset.
   
   
3. Assess the likelihood and impact of each threat and vulnerability.
   
   
4. Prioritize the risks based on their likelihood and impact.
   
   
5. Develop and implement mitigation strategies to reduce the risk to each asset.

Scenario-based risk management process

Scenario-based risk assessment typically involves the following steps:

1. Identify the business processes that need to be protected.
   
   
2. Identify the threats and vulnerabilities that could affect each business process.
   
   
3. Assess the likelihood and impact of each threat and vulnerability.
   
   
4. Prioritize the risks based on their likelihood and impact.
   
   
5. Develop and implement mitigation strategies to reduce the risk to each business process.

Scenario-based risk assessment focuses on identifying and assessing the risks to specific business processes. There are a number of benefits, including:

• It helps organizations to identify and assess risks that may not be obvious at first glance.
  
  
• It takes a more holistic view of the organization's information security risks.
  
  
• It helps organizations to prioritize their risk mitigation efforts.
  
  
• It helps organizations to communicate their information security risks to stakeholders in a more meaningful way.
  
  
• It can help organizations to continually improve their information security management system.

The risk assessment process should identify the following:

• The organisation's information assets
  
  
• The threats and vulnerabilities that could impact those assets
  
  
• The likelihood and impact of those threats and vulnerabilities
  
  
• The controls that are in place to mitigate the risks

Clause 8.2 is one of the most important clauses in the standard, as it is the foundation for all other information security controls.

ISO 27001: How to manage information security risks?

Watch our Webinar and learn everything you need to know about how to manage information security risks!

What are the key aspects of clause 8.2?

ISO 27001 clause 8.2 requires organizations to conduct information security risk assessments at planned intervals or when significant changes are proposed or occur.

The purpose of the risk assessment is to identify and evaluate the risks to the organization's information assets. The risk assessment should consider the following factors:

• The likelihood of a threat occurring
  
  
• The impact of a threat occurring
  
  
• The effectiveness of existing controls
  
  
• The need for additional controls

Once the risks have been identified and evaluated, the organization can develop and implement mitigation strategies to reduce the risk to an acceptable level.

The key aspects of clause 8.2 are:

• The need to identify all of the organisation's information assets or the scenarios where risks can occur
  
  
• The need to identify all of the threats and vulnerabilities that could impact those assets or scenarios that could be impacted by them
  
  
• The need to assess the likelihood and impact of those threats and vulnerabilities
  
  
• The need to implement controls to mitigate the risks
  
  
• The need to regularly review and update the risk assessment process

What are the 3 key elements information security in ISO 27001?

The three key elements of information security in ISO 27001 are:

Confidentiality

Confidentiality is the protection of information from unauthorised disclosure. This means that only authorised individuals should be able to see or access the information. Confidential information could include things like financial data, customer records, or intellectual property.

There are many ways to protect confidentiality, such as:

• Using strong passwords and access controls
  
  
• Encrypting sensitive data
  
  
• Limiting access to sensitive areas
  
  
• Implementing data loss prevention (DLP) solutions

Integrity

Integrity is the protection of information from unauthorised modification. This means that information should only be changed by authorised individuals and in a controlled manner. Any changes to information should be logged and tracked.

There are many ways to protect integrity, such as:

• Using checksums and hash functions to verify the authenticity of data
  
  
• Implementing change management procedures
  
  
• Using version control systems
  
  
• Regularly backing up data

Availability

Availability is the protection of information from unauthorised destruction or disruption. This means that information should be available to authorised users when they need it.

There are many ways to protect availability, such as:

• Using redundant systems and backups
  
  
• Implementing disaster recovery plans
  
  
• Keeping systems up to date with security patches
  
  
• Monitoring systems for signs of attack

The three key elements of information security are interrelated. For example, if confidentiality is compromised, then integrity and availability may also be compromised. Therefore, it is important to implement appropriate controls to protect all three elements.

Does ISO 27001 require a risk assessment?

Certainly, ISO 27001 places significant emphasis on conducting a comprehensive risk assessment. This requirement serves as the bedrock of the entire information security framework outlined in the standard.

The risk assessment is the foundation for all other information security controls in ISO 27001 because it helps organisations to:

• Identify the risks that their information assets or scenarios face
  
  
• Assess the likelihood and impact of those risks
  
  
• Prioritise the risks based on their severity
  
  
• Select appropriate controls to mitigate the risks
  
  
• Monitor and review the risk assessment process on a regular basis

The risk assessment should be conducted on a regular basis, and it should be updated as the organisation's information assets/scenarios and threats change. The results of the risk assessment should be used to prioritise the implementation of information security controls.

In essence, ISO 27001 not only mandates a risk assessment but positions it as a fundamental and ongoing activity that underpins the entire information security management system. It's not merely a requirement; it's a strategic imperative for organisations seeking to safeguard their valuable information and mitigate security risks effectively.

How to conduct an ISO 27001 risk assessment?

There are many different ways to do an ISO 27001 risk assessment. However, the following steps are generally involved:

• Identify the organisation's information assets.
  
  
• Identify the threats and vulnerabilities that could impact those assets/scenarios.
  
  
• Assess the likelihood and impact of those threats and vulnerabilities.
  
  
• Implement controls to mitigate the risks.
  
  
• Regularly review and update the risk assessment process.

Is ISO 27001 risk based?

Yes, ISO 27001 is a risk-based standard because it recognises that the level of risk that an organisation faces will vary depending on a number of factors, such as the type of information that it processes, the size and complexity of the organisation, and the threats and vulnerabilities that it faces.

The risk-based approach of ISO 27001 is reflected in a number of clauses in the standard, including:

• Clause 4.1, which requires organisations to define their information security policy, which should be based on the organisation's risk assessment
  
  
• Clause 6.1, which requires organisations to identify their assets and their associated risks
  
  
• Clause 8.2, which requires organisations to conduct a risk assessment to identify, assess, and prioritise the risks to their information assets
  
  
• Clause 8.3, which requires organisations to select and implement appropriate controls to mitigate the risks to their information assets

The risk-based approach of ISO 27001 allows organisations to tailor their information security controls to the specific risks that they face. This helps to ensure that organisations are only implementing controls that are necessary and proportionate to the risks, which can help to reduce the cost of information security.

Overall, this approach is a valuable tool that can help organisations to improve their information security posture and protect their most valuable assets.

Get your free ISO 27001 risk assessment guide

To learn more about ISO 27001 risk assessment, download our free ISO 27001 risk assessment guide. This guide outlines an 8-step simple plan for your organisation to conduct a hassle-free and effective risk assessment.