Effective risk management is a continuous Plan-Do-Check-Act cycle. This means, of course, that the risk assessment must be regularly revisited. ISO27001 sets out the requirement very clearly: ‘review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks’ taking into account changes in the business environment, to the organisation, to the risks it faces, to the incidents it experiences, to regulatory changes and in the light of the effectiveness of the controls.58
Following the initial, resource-intensive phase of the ‘ISMS implementation’ risk assessment, the organisation’s appetite to repeat the exercise is likely to have diminished significantly. The real value in having done a comprehensively thorough risk assessment – using a tool that retains the data so that it can support future reviews – is that it enables you to achieve certification and you will be able to use it time and time again to review progress and ensure that the residual risk remains exactly where you want it – beneath the risk acceptance criteria.
Given the rate of development of new threats, the discovery of new vulnerabilities and the development of new technology (with its own inherent vulnerabilities), the information security management system needs to be continually reviewed to ensure it remains fit for purpose and that it meets the requirements of the information security policy. To do this, the risk assessment needs to be reviewed.
Clause 4.2.3 – d of ISO27001 requires the organisation to ‘review risk assessments at planned intervals and [to] review the residual risks and identified acceptable levels of risks’, taking into account changes to the organisation and its business objectives, the risk environment (i.e. threats, vulnerabilities and likelihoods), the emergence of new technology and changing usage of existing systems, and changes to regulatory and compliance requirements.
There are two types of review: a review that takes place in response to a specific change of circumstances, such as a proposal to introduce a new technology, provide a new service or respond to a regulatory change; and a review that takes place on a regular basis and which considers the overall effectiveness of the controls that are currently in place. This regular review should take place at least annually in smaller businesses, but in larger organisations should probably be done on a rolling monthly schedule which ensures that the entire risk assessment is reviewed across the twelve month period.
Review(s) should be part of the overall management review of the ISMS and should look at the aggregated outputs of the incident reporting procedure as well as from the various processes put in place to measure59 the effectiveness of controls (as required by clause 4.2.3 – c).
The standard describes the reviewing of the ISMS and risk assessment so as to make sure it continues to satisfactorily manage information security risks as ‘continuous improvement’. The real benefit, though, of such a continuous improvement process is in the improved economy and effectiveness of the controls that address the identified risks (the latter being used to improve the return on information security investment, and hence, economy again).
The actual process of reviewing the risk assessment can be as straightforward as you wish: at the basic level, this would involve:
• formalising any changes to the organisation’s risk management framework and risk acceptance criteria;
• identifying any changes to the information assets of the business which hadn’t already been recorded for risk assessment purposes;
• identifying any previously unrecorded changes to the business, regulatory and contractual contexts;
• identifying any previously unrecorded changes to the risk environment (i.e. new or changed threats, vulnerabilities, likelihoods or impacts);
• identifying any resultant changes required to the risk treatment and control decisions;
• identifying any resultant changes to residual risk calculations and, if there is an increase in residual risk, obtaining formal approval for it; and
• ensuring that the process is fully documented.
3.133.158.116