Implementing risk management compliance for ISO/ITC 27001 standards

Risk Management StudioAs somebody in charge of information security for your business or organisation, the first rule of ISO/IEC 27001 compliance is simply to get familiar with what it’s all about.

It doesn’t matter if you’re the CEO, the owner, CTO or Information Security Officer, you should start by obtaining a copy of the standard ISO/IEC 27002 code of practice and reading it over. When reading, you will realise it is a risk management standard: it is essentially an overview of best practice to ensure integrity, confidentiality and availability of your business data.

Get inclusive

Start off with a round of discussions with your employees and co-workers at all levels and perform information security profiling within your organisation.

Discuss and define the scale of desired implementation

In the beginning it is important to define the scope of your ISMS (Information Security Management System); whether it is one layer of your company, a department, floor or even a particular process.

Know what you’re up against with a Risk Assessment

Decide your risk assessment approach beforehand: you might wish to have a look at ISO/IEC 27005, a sub section of the 2700x standard series, which is specifically focused on risk assessment.

Get to know your Information Assets

Carefully define your assets (both tangible and intangible) in the scope of your ISMS. Your assets range from people to buildings and everything else in between – including electronic data.

What risk do your assets face?

Carry out risk assessment information exercises on a variety of assets within your ISMS. These assessments involve identifying relevant threats towards the assets, impact of threat and the probability of a particular threat becoming a reality.

Implement a Risk Management Strategy

A ‘Risk’ can be defined as the interrelationship between an ‘Asset’ and a ‘Threat’. Suggest controls from ISO/IEC 27001 that prevent these identified risks. Guidelines on the implementation of these controls are in ISO/IEC 27002. You may need to define your own specific controls.

Access and action the results of your Risk Assessment, as demanded by standard ISO/IEC 27001

The most important report you will see is the SOA report or the Statement of Applicability, which will display the necessary security risk information.

Teach your employees awareness

Build up a focused information security-training course to continually build and evolve employees’ awareness of information security in every department of your company.

Business Continuity planning: be prepared!

Risk Assessment is just the first of three stages needed to fully implement ISO/IEC 27001. The other two are ‘Business Continuity Planning’ and the ‘Development of an Organisational Manual’, such as procedures, processes and policies.

This advice is provided by Svana Helen Bjornsdottir, ISO/IEC 27001 Lead Auditor and CEO of Stiki Information Security.

For more information visit