ISO 27001 is intended to help organizations distinguish the right approach to take when handling risks.
You can’t use defenses to every threat you face, because that would be unrealistic and prohibitively expensive, so you need to learn when mitigation is the right strategy and when other risks can be administered with a better way.
The Standard outlines four options for addressing risks. We describe each of them in this blog and the conditions under which they might be relevant.
'Modifying’ is the technical term that ISO 27001 uses to suggest applying a control that adjusts the level of the risk.
It gets this name because the organization is performing a measure that makes the risk less damaging or less likely to occur.
Controls can be technologies, processes, or policies. You can use multiple controls to the same risk, but remember that each control you execute will take time, cost money, and will need to be reviewed regularly to make sure it’s working as planned.
Modifying the risk is therefore likely to be the most difficult option, but it also allows you to continue your day-to-day operations in a relatively stable way.
Avoid the Risk
As the name suggests, evading the risk means preventing any activity that creates it. This response will be suitable if the threat is simply too big to handle with security control, or you don’t have the means to apply it.
Cybersecurity is always about balancing responsibility and convenience, and there will always be hard choices.
Share the Risk
A problem shared is a problem halved, as the saying goes, and this is slightly true when it comes to cyber threats. Several organizations use third parties to help them create processes that can’t be avoided but that the organization can’t tackle on its own.
All organizations must constantly test their systems for vulnerabilities that could be used by hackers, but this task can’t be made by just anyone. It requires penetration training expertise, so organizations will need to appoint someone to do the work.
The second way you can share risk is by purchasing cyber insurance. This won’t mitigate the possibility of a breach, but it will lessen the damage.
Retain the Risk
Organizations can decide that preventative measures are more costly or inaccessible than if the risk came to pass. As such, they will take no action to address it.
This will typically be the case when the threat will cause almost damage or it is so unlikely to occur that it’s not worth your time preparing for.
The types of risks that can be held will vary depending on the organization because what’s deemed a minor threat to one business may be more important to another.