The Best ISO 27001 Risk Assessment Approach
Information security management took a big step in 2005 with the introduction of ISO/IEC 27001. The standard provided organizations with best practices to protect vital data, both internally and entrusted to their vendors. ISO 27001 underwent a major revision in 2013, strengthening the guidelines while providing companies with more flexibility to achieve compliance.
For organizations that are certified or are working toward aligning with the standard, a sound ISO 27001 risk assessment is essential to guaranteeing vendors are on the same page. A good approach to screening your key IT suppliers will drive your vendor risk management decisions and, ultimately, will help protect your company’s data, reputation and bottom line.
The Update in a Nutshell
ISO 27001:2013 simplified its process model, updated its security controls and allowed for easier adaptability to other ISO management standards. Aside from these revisions, three key aspects of the new standard are important for ISO 27001 risk assessment considerations:
- Risk ownership: Replacing the term “asset owner,” risk ownership emphasizes a greater level or responsibility in addressing and mitigating risks. The change gives companies more flexibility to use whatever processes work best for them while calling for added leadership to achieve risk goals.
- Interested parties: This is another terminology change -“interested parties” replaces “stakeholders” and brings about added vendor risk requirements. Companies must now identify any interested parties, including vendors, and ensure they are addressing potential security risks.
- Outsourcing: ISO 27001:2013 includes a section devoted to outsourcing, giving companies additional guidance in managing key IT vendors.
Furthermore, the revision places an increased emphasis on planning. As a result, an ISO 27001 risk assessment isn’t a negative undertaking to saddle vendors with, but rather an important tool to identify and mitigate risk.
Assessing with the 27001 in Mind
Even before the 2013 update, an effective ISO 27001 risk assessment gave companies a powerful approach to keeping IT secure. However a screening is only as effective as the questions contained therein. An automated vendor risk management solution can provide assessments specifically geared to ISO 27001, and also give you the answers you need to better determine your course of action.
Taking a Risk-Based Approach
It’s advisable to take a risk-based approach depending on the level or category of risk that a vendor’s relationship presents you. While it may be appropriate to require a vendor to complete a full ISO 27001 assessment that addresses every control, this may not be appropriate for a low or medium risk vendor. For a low or medium risk vendor, a customized questionnaire that addresses key controls but reduces the total questionnaire size may be the best approach. Using this risk-based approach will save you and your vendors time and resources.
Cooperation Is Essential
One final approach you should take with an ISO 27001 risk assessment is working with your vendors to achieve compliance. The vendor risk management process doesn’t end once you receive a completed screening; good communication, follow-up calls and emails, and cooperation are essential even with IT suppliers that are presenting low risk profiles.
How do you approach an ISO 27001 risk assessment?