ISO 27001 is an international standard that outlines the requirements for an Information Security Management System (ISMS), aiming to preserve the confidentiality, integrity, and availability of information by applying a risk management process. One of the crucial steps in this process is selecting the appropriate controls to mitigate identified risks. This article provides a detailed guide on how to select the right control for a risk according to ISO 27001.
Understanding Controls in ISO 27001
ISO 27001 categorises controls into 14 families in Annex A, covering various aspects of information security. These controls are designed to address specific risks, and their selection is based on the outcome of the risk assessment process. The right control should effectively reduce the risk to an acceptable level while being cost-effective and aligning with organisational objectives and security requirements. For more information, read: What are 'Controls' According to ISO 27001?
Steps to Select the Right Control
Step 1: Conduct a Comprehensive Risk Assessment
Before you can select a control, you need to understand the risk landscape:
Identify assets: Know what needs protection, including data, systems, and services.
Identify threats and vulnerabilities: Determine what could exploit the vulnerabilities of these assets.
Assess risks: Evaluate the potential consequences and likelihood of these threats materialising.
Step 2: Define Risk Criteria
Set clear criteria for accepting risks, which will help in deciding whether a control is needed and the extent of control required. These criteria should consider:
Legal and regulatory requirements
Business objectives and strategies
Organisational context and culture
Step 3: Review Available ISO 27001 Controls
Refer to ISO 27001 Annex A for a list of the recommended controls. Or, simply use de.iterate's inbuilt Risk Register. Every time you add a risk, you will be prompted to add a corresponding control, derived directly from ISO 27001. Understand the purpose and functionality of each control in the 14 families. Each family addresses different security aspects, such as access control, operations security, cryptography, and more.
Step 4: Match Controls to Risks
For each identified risk, evaluate which controls could mitigate the risk effectively. Consider:
Effectiveness: How well will the control reduce the impact or likelihood of the risk?
Efficiency: Will the control provide the desired level of security without excessive resource utilisation?
Relevance: Does the control address the specific vulnerabilities or threats identified in the risk assessment?
Step 5: Evaluate Control Options
Often, multiple controls can mitigate a risk. Evaluate these options based on:
Cost-benefit analysis: Assess the cost of implementing each control against the potential benefit in reducing the risk.
Operational impact: Consider how the control will affect day-to-day operations.
Compatibility: Ensure the control aligns with existing processes and technologies.
Step 6: Select Controls
Choose controls that provide the most effective risk mitigation for the least resource expenditure. The selected controls should also support compliance with applicable laws and regulations.
Step 7: Document the Control Selection
Document the rationale for each control selection in de.iterate's Risk Register. This documentation should include:
Step 8: Implement and Monitor the Controls
Implement the selected controls as part of the ISMS. Regularly monitor the effectiveness of these controls in reducing or managing the risks. Adjustments should be made as necessary based on feedback and continuous risk assessment.
Example of Control Selection
Suppose a risk assessment identifies data interception as a high risk for an organisation's online transactions. Potential controls from ISO 27001 might include:
Encryption (A.10 Cryptography)
Secure communication protocols (A.13 Communications Security)
User access controls (A.9 Access Control)
A cost-benefit analysis might show that implementing HTTPS with strong encryption provides the most effective mitigation with minimal impact on user experience, making it the selected control.