How to conduct an information security risk assessment
As defined by ISACA, risk management is “the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization”.
There are several ways of managing risks within an organisation and you should consider one or another depending on your specific needs, data processings and budget. Some of the best frameworks are ISO/IEC 27001/2013, which covers information security, and ISO/IEC 31000/2018, which covers risks assessments.
ISO 27001 is an information security management system based on the Deming cycle (plan-do-check-act) and it can be certified. This framework is specially useful to comply with the GDPR because both the Regulation and ISO 27001 are focused on assessing risks.
According to ISO 27001, to assess risks you need to:
- identify information assets (personnel, premises, hardware, software … ), threats to which assets are exposed and their vulnerabilities;
- calculate the likelihood of a threat exploiting a vulnerability to compromise information confidentiality, integrity and availability;
- evaluate the impact the materialisation of a threat would have to confidentiality, integrity and availability;
- estimate risk level, combining likelihood and impact;
- assign risk owners for every asset; and
- define risk appetite.
The next step is to draft the risk treatment plan, which is a document where you explain which risks are going to be treated, their level, actions proposed, the person in charge to implement controls, resources that will be needed and the time it will take. The risk can be treated in one or several of the following manners:
- avoiding the risk
- Reducing the risk level
- transferring the risk, and
- accepting the risk.
If you decide to not accept a risk, then you should select the appropriate security measures to avoid, reduce or transfer that risk. Once a risk has been treated, there is always a remaining risk which is called residual risk, which should be lower. The residual risk also needs to be evaluated and treated.
This is, on a high level, the methodology for evaluating and planifying risks on ISO 27001, even though some requirements have been omitted and they should be taken into consideration if you are considering taking the certification. However, to comply with the GDPR information security requirements certification is not required and therefore, you do not need to implement the whole ISO 27001.
What GDPR requires from you is an assessment of the risks for confidentiality, integrity and availability of information and the implementation of the appropriate security measures to protect the information.