In the context of ISO 27001, assessing the inherent likelihood of a risk involves estimating the probability of a risk occurring, considering the current controls and vulnerabilities within the organisation.
Using a scale of Low, Medium, High, and Extreme helps categorise risks according to their probability of occurrence, which is crucial for effective risk prioritisation and treatment planning.
Steps to Determine Inherent Likelihood
1. Define the Probability Categories
The first step is to define what each probability category—Low, Medium, High, and Extreme—represents in terms of likelihood. This categorisation can be based on factors such as historical data, industry benchmarks, and expert judgment. Definitions might look like this:
Low: The risk is unlikely to occur within the next year.
Medium: The risk could occur once in the next year.
High: The risk is likely to occur multiple times in the next year.
Extreme: The risk is almost certain to occur in the near future.
2. Identify Relevant Factors Influencing Likelihood
Evaluate each identified risk to determine the factors that influence its likelihood. Consider aspects such as:
Environmental factors: Changes in the regulatory or economic landscape.
Organisational factors: Current organisational processes and security controls.
Technological factors: Existing technological infrastructure and its vulnerabilities.
3. Assess Each Factor
For each risk, assess how likely it is to occur by examining the relevant influencing factors:
Are there frequent occurrences of similar events within the industry?
How adequate are the existing controls in mitigating this risk?
What is the level of exposure to potential threats?
For example: if a risk of phishing attacks has historically occurred several times per year despite existing controls, the likelihood might be rated as High.
4. Aggregate the Assessments
If multiple factors influence the likelihood of a single risk, determine the overall category by considering the most dominant factor. The reason is that the most significant factor typically dictates the probability of the risk occurring.
5. Document the Ratings
Record the likelihood ratings for each risk in your Risk Register in de.iterate. You might want to include notes that clearly explain the reasoning behind each likelihood rating, based on the assessment of influencing factors.
6. Review and Update Regularly
The factors influencing the likelihood of risks can change due to new technological deployments, organisational changes, or external events. It’s important to regularly review and update the likelihood assessments as part of your ongoing risk management cycle.
Example of Using the Scale
Here’s an example of how the likelihood of a risk might be assessed:
Risk: System outage due to outdated hardware.
Relevant Factors:
Technological: The hardware is outdated and has known reliability issues.
Organisational: There is no current budget allocated for hardware updates.
Assessment:
Technological factor suggests a High likelihood due to frequent past issues.
Organisational constraints increase the likelihood to Extreme, as no immediate remediation is planned.
Overall Likelihood Rating: Extreme, reflecting the critical need for addressing the risk due to both technological vulnerabilities and organisational limitations.