This clause requires the organisation to plan a course of action to tackle the risk and opportunities discussed in clause 4.1 the context of the organisation and clause 4.2 needs and expectations of interested parties in a way that the ISMS:
- can achieve its intended outcomes.
- reduces the chance of undesirable events; and
- continually improves
The organisation must plan an action to identify and treat these risks and opportunities and integrate these actions in the ISMS and evaluate the results over time.
6.1.2 Information security risk assessment
Risk assessment is done by determining threats and vulnerabilities in the organisation and assigning a level of impact of each risk. The organisation must come up with a process to assess information security risk and apply that process in a way that establishes criteria for the assessment. These criteria broadly include the overall risk acceptance criteria the specific information security risk assessment. Risk assessment is the most complex as well as most important part of the standard, as it provides a foundation for the information security policy of the organisation. The risk assessment process must be conducted at planned intervals to produce consistent, valid and comparable results.
When such process is approved by the management, the process shall be applied to identify threats and associated vulnerabilities that can lead to loss of confidentiality, integrity or availability of the information that needs to be secured in the context of ISMS. The organisation must identify risk owners related to these risks. Risk owners are the individual or authorities appointed by the management to manage a particular risk. These persons are interested in managing that risk and have authority to do something about that.
Analysis of the identified risks is the next step in the assessment. This analysis attempts to determine the potential consequences of the identified risks if they materialize, for example, risk can impact the financial position or the reputation of the company. This assessment can be quantitative and/or qualitative depending upon the type of risks. The organisation must assess the realistic possibility of occurrence of these risks (probability). For example, a data leak can occur regularly, but a natural calamity has a low probability of happening.
These risks must be scaled to different levels according to their probability and must be ranked according to the level of the risk determined by the organisation as per the organisational impact.
After the identification and assessment of the different risks, the results must be compared with the criteria defined earlier by the organisation. The organisation has then prioritized these risks for risk treatment depending upon the level assigned to the risk and urgency for treatment. There may be several high rated risks which the organisation must prioritise and decide the order in which these risks should be treated.
The organisation must keep all the information regarding the information security risk assessment process, all the steps company has taken during the process, in a documented form.
6.1.3 Information security risk treatment
Risk assessment is done to determine threats and vulnerabilities in information security and to find the best possible treatment for the identified risks to guide the organisation to allocate optimum resources for the treatment. For each risk assessment report, a strategy must be constructed to enable each risk individually to deal with the risks at affordable cost.
These treatment processes need to be implemented ideally by implementing at least controls provided in the Annexure A of the ISO standard. The organisation must decide which controls are needed to properly implement these treatment options and can design their own set of controls or can adopt from any other source as required by the treatment.
The third step is to compare the controls implemented for the treatment and the controls provided in the Annexure A of the standard. Annex A comes with a comprehensive list of controls but in general, all the controls are not needed to be implemented but only those required by the treatment. This step determines if any necessary control is overlooked or omitted in the process. The controls in Annex A are not exhaustive, any control or control objective required by the treatment can be added.
The next step requires a statement of applicability. The statement of applicability must contain all the controls whether they are implemented or not with a justification for inclusion or exclusion from the process. The controls for the statement of applicability relies mainly on Annex A but if there is a custom control implemented in the process it should be included in the statement of applicability.
With the information gathered from the above steps, the organisation must formulate the most suitable information security risk treatment plan. Successful formulation of the plan can increase the chances of success of the risk treatment. The newly formulated plan must be approved by the risk owner and an acceptance of residual information security risks.