Managing risks
Specific requirements for an ISO 27001 risk assessment include:
- Establishing criteria for evaluating information security risks,
- Identifying risks for all information assets within the scope of the ISMS,
- Assigning ownership for each risk
- Creating a repeatable, consistent risk assessment process.
Therefore, companies must accurately identify and prioritize their risks to implement appropriate protective measures.
Risk Overview
On the risk overview page, you can see the following sections:
- Categories: For better overview, risks are categorized into their contexts.
- Risk matrix: The risk matrix has two dimensions, Impact, and Likelihood.
- Overview: A list of the risks that you added with some info for each.
Detail View
General
- Title: The name of the risk.
- Description: A more detailed explanation of the risk.
- Risk category: The context in which the risk occurs.
- Owner: The person responsible for managing the risk in your company. This has to be someone who is operatively close to the context of the risk and can accurately assess and treat it.
Risk Description
- Threats: What is the danger for your company?
- Vulnerabilities: Where are weak points in your company that could be exploited?
- Damages: What can be possible consequences of the exploitation of these vulnerabilities?
CIA Assessment
Here you can indicate which (can be more than one) pillar of the CIA triad is affected by this risk.
- Confidentiality
- Integrity
- Availability
Risk Assessment
- Likelihood: On a scale from 1 (Insignificant) to 4 (Catastrophic), how likely is it that the risk materializes?
- Impact: On a scale from 1 (Rare) to 4 (Likely), how big would be the impact of this?
- Risk Score = Likelihood x Impact
Risk Treatment
- Acceptance: Does the company accept the risk, yes or no? If yes, the following two points are irrelevant for this risk.
- Treatment Mechanism: Is the risk to be avoided, mitigated, or transferred (for example to an insurance)?
- Controls: If the risk is to be mitigated, which controls account for this mitigation? Here you can choose from the controls that you have set up on the controls page.
- Treatment Description: Describe the treatment mechanism concretely in your company.
Residual Risk
- Same in principle as the Risk Assessment, considering how much the treatment lowers both Likelihood and Impact of the risk.
Notes
Any type of additional information that you want to include in this risk.
Documenting Risks
Our platform supports organizations by offering predefined risk categories, such as "Environmental" or "Operational," which facilitate the organization and management of risks. Kertos also provides a visual representation of risks in a two-dimensional matrix. The matrix ensures that essential information is structured for assessing compliance with standards like ISO 27001.
In the Risk tab, you have two options for adding your risks:
- Via the catalogue, where you can find risks that are already pre-filled,
- or manually via “Add Risk”.
Via the catalogue
1. Select the category you want to add risks for.
2. Select the desired risks individually or select all of them by ticking the box at the top of the list.
3. Go back to the risk overview.
4. In the overview, click on the risk you want to manage.
5. Fill out the details as described in the detail view and don’t forget to click “Save” at the end.
Manually
1. On the overview page, click “Add risk” in the top right corner
2. You will be taken to the detail view of the new, empty risk.
3. Fill out the details as described in the detail view and don’t forget to click “Save” at the end and don’t forget to click “Save” at the end.
FAQs
What do I need to do in the ‘Risks’ section?
In this section, you document all the relevant risks in the overview, assess them individually and connect them to the appropriate controls. Our risk catalog can be utilized for determining the required risks.
How do I know which risks apply to my company?
You can use our risk catalogue as a first indication for what might be relevant to your company or you can also ask KAI if you are unsure about whether a risk might apply to you. It is also recommended to base your risks on your assets, given that you have a comprehensive overview of them.
How many risks do I need?
The number of the risks you need to document depends on the scope of your ISMS and your company assets.
Shall I assess the risks from todays perspective or a perspective before I was implementing controls?
When assessing risks for compliance with frameworks like ISO 27001, you should consider the current state of your organization, including any existing controls that are already in place. This provides a more accurate picture of your organization's current security posture and allows you to assess the effectiveness of controls you've already implemented.
How do I know which and how many controls I need to mitigate the risk?
If you open a risk that you want to mitigate in Kertos, you can scroll down to “Applied Controls”. Then, click “Link Controls”. We will automatically make control suggestions for you that you can select and apply with a simple click to the risk you are looking at. All control suggestions are reviewed by experts, giving you complete peace of mind when connecting risks with controls.