By Darshanpreet Kaur
Introduction
Risk assessments are one of the most important components of an ISMS and are the basis for risk identification and evaluation as well as the development of risk treatment measures. Despite the availability of guidelines such as ISO/IEC 27001 and ISO/IEC 27005 that detail how risk assessments can be conducted, organisations continue to experience common challenges that may hinder the achievement of their intended goals. This blog will discuss these pitfalls and what should be done to avoid them, so that your risk assessment process is sound and meets the requirements of the international standards.
1. Lack of Awareness on the Extent of Risk Assessment
Pitfall | Avoidance Strategy |
---|---|
The first mistake that organizations make is that they do not set clear and specific objectives on the scope of the risk assessment. This may result into poor assessment of risks since some important information assets or business processes may not be captured. | ISO/IEC 27005 also provides information that states that context establishment should be carried out before risk assessment. The scope should be defined by taking into account all the internal and external factors, all the assets, processes, and stakeholders of the organization. This way, the scope leaves no room for overlooking some essential areas that may lead to failure in the project. |
2. Lack of Stakeholder Involvement
Pitfall | Avoidance Strategy |
---|---|
Risk assessments are usually done in isolation by the IT or security department, and not enough consultation with other departments. This can lead to a rather limited view of risks, which can be an oversight to what other teams in the organization may offer. | Stakeholder management is important and this involves the involvement of stakeholders from different departments. ISO/IEC 27001 and ISO/IEC 27005 suggest that risk assessments should be conducted with the participation of stakeholders of the organization. This in turn provides a broad perspective of risks and as a result, risk management is more efficient. |
3. Excessive Use of Qualitative Risk Assessment Techniques
Pitfall | Avoidance Strategy |
---|---|
Most organizations use only qualitative methods in risk assessment, which results in rather subjective and irregular data. It is mainly for this reason that qualitative assessments are not as accurate as they need to be for risk identification, assessment, and management. | To address this, ISO/IEC 27005 recommends that where possible the use of both qualitative and quantitative risk assessment techniques should be used. Whereas, the qualitative methods are more helpful at the time of the initial assessment, quantitative methods are more helpful in a detailed assessment of risks and their comparison and prioritization. It is recommended that organizations should seek to achieve an optimal level of reliance on both quantitative and qualitative data, where the former can be used to confirm the latter’s impressions. |
4. Lack of Scheduling the Risk Assessments Update
Pitfall | Avoidance Strategy |
---|---|
Risk assessments are often viewed as an activity that is performed only when an ISMS is first being set up and then ignored. This can lead to risk profiles that are out of sync with current risks and threats, and therefore not very effective. | ISO/IEC 27001 requires that the organisation maintain the ISMS and this involves conducting periodic assessments of risks. It is recommended that organisations should have a set frequency at which risk assessments should be conducted and that changes such as new threats, business processes or regulations should trigger a new assessment. |
5. Inconsistent Risk Criteria
Pitfall | Avoidance Strategy |
---|---|
Lack of clear standards or criteria for risk identification makes it possible for different people to give different scores to the same risks. This can lead to an inconsistency in the assessment of risks, and this can cause a problem in the allocation of resources. | The ISO/IEC 27005 suggests that organizations should have well defined and unambiguous risk evaluation criteria that are aligned to the enterprise risk tolerance and goals. It is recommended that these criteria should be written down and shared with all the stakeholders who are involved in risk assessment. |
6. Omission of the Risk Treatment Process
Pitfall | Avoidance Strategy |
---|---|
In the identification and analysis of risks, some organizations have inadequate ways of handling the risk treatment process. This can result in risks being seen but not controlled and this puts the organization at risk. | The risk treatment process is an essential part of both ISO/IEC 27001 and ISO/IEC 27005. Risk treatment should be a well-planned process in organizations, in which organizations should identify the controls that should be implemented, who should implement the controls, and how the efficiency of the controls should be assessed in the future. Risk treatment should therefore form part of the organizations risk management framework so that all the identified risks can be managed appropriately. |
7. Ignoring Residual Risk
Pitfall | Avoidance Strategy |
---|---|
While concentrating on risk control, organizations fail to pay attention to residual risk, which is the risk that is not controlled by the implemented controls. Leaving out residual risk might create a ‘security blanket’ effect. | ISO/IEC 27005:2008 also notes that the evaluation of residual risk is part of the risk treatment process. It is important for organizations to assess if the residual risks are tolerable or if other controls are required. This step makes sure that in the event that risks are retained after treatment, they are retained to an acceptable level of risk tolerance by the organization. |
8. Poor Documentation and Reporting
Pitfall | Avoidance Strategy |
---|---|
Lack of documentation and reporting of the risk assessment process may result in the failure to account for the process. This makes it hard to review, audit or even evaluate the risk management process at different times. | ISO/IEC 27001 and ISO/IEC 27005 are similar in terms of documentation: both require comprehensive documentation. It is recommended that all the activities done in the risk assessment process be recorded including the techniques applied, the risks that have been identified, the decisions made and the controls put in place. It is advisable to update it from time to time, to reflect the current situation and to make necessary changes when necessary. |
Conclusion
Risk assessment is an important part of any organization’s strategy to safeguard its information and conform to standards such as ISO/IEC 27001 and ISO/IEC 27005. The following are some of the recommendations that can help organizations improve the quality of their risk assessments: Organizations should avoid the following errors: Scoping that is insufficient, stakeholder engagement that is not enough, reliance on qualitative data, and failure to address the residual risk. It not only enhances their ISMS but also enhances the organizational security and resilience in the long run.
To the auditors and compliance experts, it is important to know these risks and how they can be prevented when assessing the effectiveness of an organization’s risk management framework. In the future, the threat landscape is likely to change, so the constant vigilance and the active approach to risk assessment will be essential for the strengthening of information security.
To the auditors and compliance experts, it is important to know these risks and how they can be prevented when assessing the effectiveness of an organization’s risk management framework. In the future, the threat landscape is likely to change, so the constant vigilance and the active approach to risk assessment will be essential for the strengthening of information security.
This article first appeared on Sustainable Futures Trainings’ website and is published here with permission.