Example of ISO 27001:2022 ISMS Risk Assessment Procedure

Process Flow

The following diagram shows the process flow for risk assessment as part of the overall ISMS framework.

1. Risk Assessment Definitions

For a given information asset, Risk is defined is a probability of a threat materializing as a result of a vulnerability compromise resulting in the undesired impact. In other words the assessment of risk includes the following key elements:

  1. An Asset (1)
  2. Applicable Threat category (2)
  3. Threat & Impact (3)
  4. Threat & Vulnerability (4)
  5. Threat & Probability (5)
  6. Overall Risk (to an asset against a specific threat)

This is illustrated in Table 1.

For the process of Risk assessment the following table has been used:

Asset Group(I)Threat Categories(II)Impact (III)
(1- Low, 2- Medium, 3 – High, 4 – Very High)
Vulnerability (IV)
(1- Low, 2- Medium, 3 – High, 4 – Very High)
Probability (V)
(1- Low, 2- Medium, 3 – High, 4 – Very High)
Risk (VI)
(1 – 64)
Examples (Personnel, (Breach of) Confidentiality (Intentional or Accidental)
paper, Business Applications)(Breach of) Integrity (Intentional, Accidental)
(Source: Asset Master)(Breach of) Availability (Intentional, or Accidental)
Table 1: Risk Assessment Formula

Asset GroupsThreatImpactVulnerabilityProbabilityRisk Value
This includes all forms of assets including personnel, paper, software, hardware, internal service providers, external service providersAny disaster event due to loss of confidentiality, integrity, and/or availability (CIA) (not exhaustive)Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the impact value represents the scale of business impact to the organization in the event of security compromiseMeasured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the vulnerability value represents the state of control for a given asset. Management takes action on all vulnerability greater than equal to 2.Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the probability value represents the likelihood of a threat realization in the near future (next year). For all probabilities greater than equal to 3, management defines a continuity plan.Measured on a 64-point scale (>12-High, 8-12 – Med, <8-Low), the risk value represents the state of risk for a given asset.
Table 2: Risk Assessment Terminology explained

  1. (Information) Asset Groups

An Asset is defined as any business asset, which has information contents. Examples of asset (not exhaustive) are listed below:

  • Personnel
  • Paper
  • Business applications hosting information
  • IT infrastructure items supporting information
  • Office Infrastructure supporting Operation
  • Office Infrastructure supporting Security operations
  • Documents – electronic and Paper
  • Services
  • External Service providers

Each department head creates and maintains their asset masters.

1.2          Risk Assessment Formula

Risk Assessment for each asset is carried out using the following formula.

Risk = Threat X Business Impact or loss of “Value” X Vulnerability X Probability. Each component of the risk assessment also undergoes a qualitative valuation based on the judgment of the risk analyst.

Listed below is an explanation of each of these terms.

1.1.1       Threat X (Business) Impact (valuation)

Each asset undergoes three major classifications of threat analysis – Confidentiality, integrity and availability. The risk analyst defines the appropriateness of the asset and the commensurate threat applicable to the asset. Each threat so chosen also undergoes a business impact or “valuation” on a range of 1(one) to 4(four) based on the following guideline. The risk analyst takes into consideration the worst scenario for valuation purposes:

Information Valuation/Rating

InformationConfidentiality Rating
New Business & Project opportunities4
Company Risk Register4
Joint Operations Agreement – JOA3
Production Sharing Contracts – PSC3
Sales Purchase Agreement3
G & G data including Seismic data3
Skills & Competency matrix of people (competitive advantage)3
Oil & Gas Reserve data numbers (competitive advantage)3
Oil & Gas sales report2
Employee compensations & employee personal information (privacy of information)4
Reservoir Data (e.g. Eclipse)3
Table 3: Confidentiality Rating

Availability Rating

Availability RequirementAvailability Rating
< 4 Hours   IT infrastructure and communication services and supporting utilities (Air-conditioning, Power etc.) Active directory serversShare pointFirewall and VPN servicesAll data & voice supporting network devicesCloud Services – Microsoft office 365 suite, Email  4 = Very High   Essential Infrastructure Services   # XXX is more connectivity driven as they need to remain in contact with their area & regional offices to fulfill all their requirements.          
< 8 hours Oracle e-business suits          3 = High # Access to and availability of data stored on server mapped G: drive is paramount to XXX business operations in additions to specific business applications they connect to  
> 8 hours and within 1 day (24 hours) – Shared drive – LiveQuest – Petrel, G & G, Petrel RE – REP 5, Pansystem, – Rose, Questor – Geoframe2 = Medium  Delayed Start Service
All other information that does not fall in the above categories  1 = Low  
Table 4: Availability Rating

Integrity Rating

InformationIntegrity Rating
Inaccuracy in content accessible to employees concerning health & safety4
Inaccuracy results in financial loss to company or its employees or legal/regulatory reporting obligations4
Inaccuracy in content accessible to public3
Inaccuracy in content accessible to employees but not financial/health/safety in nature3
No available category2 & 1
  
Table 5: Integrity Rating

The asset ‘impact’ rating is performed based on enterprise context.

1.3    Threat X Vulnerability

Vulnerability is by definition, an inherent weakness by which a treat can be exploited. Vulnerability is the base factor and covers absence (or existence) of controls or countermeasures. Vulnerability is rated on the following 4-point scale:

Impact ValuePurportGuideline
4Very High VulnerabilityRate 4 where there is more than 1 vulnerability but in the opinion of the analyst, the vulnerability is easy to exploit.
3High VulnerabilityRate 3 where there is more than 1 vulnerability
2Medium VulnerabilityRate 2 where there is at least one vulnerability.
1Low VulnerabilityRate 1 where there are no identified vulnerability.

Typical assessment (not exhaustive) made are presence of preventive, detective, maintenance and/or monitoring controls present to prevent the threat materialization. The risk owner and the risk analyst jointly agree on the valuation of asset.

1.4          Threat X Probability

Probability is the likelihood of a threat materializing for the given asset. The asset owner and the risk analyst jointly agree on the valuation of asset. Probability is rated on the following 4-point scale:

Impact ValuePurportGuideline
4Very High ProbabilityRate 4 when there are more than 2 incidents in the last one year.
3High ProbabilityRate 3 when there has been two incidents in the past one year.
2Medium ProbabilityRate 2 when there has been one incident in the past one year.
1Low ProbabilityRate 1 when there has been no incident in the past, nor likely in the future.

For a given asset the risk is therefore calculated by a measure of threat, business impact, vulnerability and probability.

1.5          Justification

Each element of risk assessment i.e. Impact, vulnerability and probability is provided with justification of their valuation or reference to Very High, High, Medium and Low probabilities.

2. Risk Assessment Process

The process of risk assessment for a given asset consists of three stages as explained below:

  • Asset Definition

The Asset owner (typically HOD) creates and maintains an Asset master. The Asset master contains provision to captures all forms of information asset (paper, people, documents, hardware, business applications, and external service providers)

  • CIA Impact Valuation

Each asset owner conducts an Impact valuation on the loss of Confidentiality, Integrity and Availability (CIA) to a given asset. While doing he/she looks at the CIA reference table to assess whether the asset correlates to the CIA criteria.

  • Risk Valuation

Assets with a value of 4 as a result of either C,I and/or A, where the impact of the security violation is Very High, has mandatory requirement to be assessed for the other values of risk, namely vulnerability and probability.

Risks that cannot be treated is considered to be ‘Residual Risks’ and subject to approval by risk owner.

2.2    Risk Assessment Worksheets

  • All assets which have an impact value of 4 are rated with their vulnerability and probability in a centralized record called – XXX-ISMS-RA record.
  • A risk revaluation is done for those assets where a decision has been identified as closed.

3. Risk Treatment Process

  1. Risk treatment process has the following parameter – All weakness areas are reported in a centralized vulnerability dashboard. ISMS QA/MR discusses each area of the weakness and reports to the applicable departments for closure.
  2. ISMS QA/MR discusses the vulnerability or the associated risk with the risk owner.
  3. Decisions to close an identified vulnerability are taken by either Head of Department. When the decision for implementation cannot be made by the department, the decision is moved up the chain of command, for senior management for final decision.
  4. Each decision so made are ensured implementation through allocation of responsibilities, which in turn is coordinated with Head of Departments/applicable enforcer,
  5. Areas wherein senior management/head of department does not take decisions or the implementation totality takes a certain period of time, it is considered as residual risk. However reference to senior management decision either as closed, work in progress (WIP) or residual risk (RR) is referred in the Gap dashboard.
  6. An annual plan of future initiatives is made available demonstrating the senior management commitment to ensure effective implementation of existing security framework.
  7. Reassessment of Risk values is done for those assets wherein decisions have been taken to reduce their Risk. This is an ongoing activity and ISMS QA/MR keeps track of all such Risk areas.

4. Risk Acceptance Criteria & Residual Risk Management

All risk values are rated on the 64-point scale. All attempts are being made to reduce the value of risk to the extent possible. However the following rule applies:

Risk Acceptance criteria is vulnerability value 1. When an asset’s vulnerability value is more than 1, it means that the asset has vulnerability. A vulnerability value of 1 reflects no known vulnerability, and is therefore becomes the benchmark for risk acceptance.

  • All vulnerabilities equal to 2 and above are presented to the management for reduction. Management includes department heads, and top management – depending on the areas of the risk.
  • All values of risk equal to greater than 12 are presented to the management
  • Upon the introduction of controls, there could be risks whose values do not come down below 12 and therefore, continue to remain on the higher side. Such values are part of the residual risk.
  • Risks are classified as High – if the value of the risk is >=12, Medium – if the value is =>8 and <12, and Low <8. Except for personnel assets, the objective of all remaining assets is to bring down the vulnerability value to <=2. For personnel, a HIGH Risk is acceptable, as they may be an operational requirement.
  • Residual risk are reflected against each asset group where risk assessment is performed.

4. Risk Communication

For those risks, where the vulnerability is 1, risk owners are communicated.  The risk owner is required to own and accept the residual risk.

5. Supporting Worksheets/reports

  1. XXX – Department-wise ISMS Compliance sheet
  2. XXX-ISMS-Risk Assessment record (Also includes revised RA values),
  3. Latest Statement of Applicability – reflects references to existing controls
  4. Management review records includes residual risk and future plan of action.

2 thoughts on “Example of ISO 27001:2022 ISMS Risk Assessment Procedure

  1. Thanks How to contact you. Please share your contact details

    Sanjeev Jahagirdar+9552585317

    Connect us I  https://www.linkedin.com/in/jahagirdar-sanjeev-55a09118

Leave a Reply