/ ISO Blogs / By

Building a Resilient ISMS: Risk Management and Security Objectives in ISO/IEC 27001:2022

Building a Resilient ISMS: Risk Management and Security Objectives in ISO/IEC 27001:2022

Effective risk management is the foundation of a strong Information Security Management System (ISMS). ISO/IEC 27001:2022 provides a structured approach to identifying, analyzing, and mitigating risks while establishing measurable security objectives. By implementing these best practices, organizations can strengthen their security posture, enhance regulatory compliance, and ensure business continuity.

Definitions Related to Risk

Level of Risk:

Magnitude of a risk expressed in terms of the combination of consequences and their likelihood.

Likelihood

Chance of something happening.

Risk Analysis

Effect of uncertainty on objectives.

Note: The effect could be either positive or negative.

Risk Identification:

Process of finding, recognizing, and describing risks.

Note 1: Risk identification involves identifying risk sources, events, their causes, and potential consequences.

Note 2: It can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs.

Risk Analysis

Process to comprehend the nature of risk and determine the level of risk.

Risk Evaluation

Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude are acceptable or tolerable.

Note: This assists in the decision about risk treatment.

Types Of Certification

Get Free Consultation

    Download Brochure
    Application Form
    Our Clients
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's
    Clients Logo's

    Risk Treatment:

    Process to modify risk.

    Note 1: Risk treatment can involve the following steps:

    1. Avoiding the risk by deciding not to start or continue the activity that gives rise to the risk.
    2. Taking or increasing the risk to pursue an opportunity.
    3. Removing the risk source.
    4. Changing the likelihood.
    5. Changing the consequences.
    6. Sharing the risk with another party (including contracts and risk financing).
    7. Retaining the risk by informed choice.

    Note 2: Risk treatments that deal with negative consequences are referred to as “risk mitigation,” “risk elimination,” “risk prevention,” and “risk reduction.”

    Note 3: Risk treatment can create new risks or modify existing risks.

    Residual Risk:

    The risk remains after risk treatment.

    Risk Acceptance:

    Decision to accept a risk (e.g., risk is within acceptance criteria or top management accepts it even if it is above criteria).

    Risk Management Process

    Risk Management = Risk Assessment (Risk Analysis + Risk Evaluation) + Risk Treatment + Risk Monitoring + Risk Review

    Annex SL - 6.2: Information Security Objectives and Planning

    The organization shall establish Information Security objectives at relevant functions and levels. The objectives shall:

    • Be consistent with the INFORMATION SECURITY policy.
    • Be measurable (if practicable).
    • Take into account applicable requirements.
    • Be monitored.
    • Be communicated.
    • Be updated as appropriate.

    The organization shall retain documented information on the Information Security objectives.

    When planning how to achieve its INFORMATION SECURITY objectives, the organization shall determine:

    • What will be done?
    • What resources will be required?
    • Who will be responsible?
    • When it will be completed.
    • How the results will be evaluated.

    ISO/IEC 27001:2022 - 6.2: Information Security Objectives and Planning

    The organization shall establish information security objectives at relevant functions and levels.

    These objectives shall:

    1. Be consistent with the information security policy.
    2. Be measurable (if practicable).
    3. Take into account applicable information security requirements and results from risk assessment and treatment.
    4. Be communicated.
    5. Be updated as appropriate.

    The organization shall retain documented information on information security objectives.

    When planning how to achieve its information security objectives, the organization shall determine:

    • What will be done?
    • What resources will be required?
    • Who will be responsible?
    • When it will be completed.
    • How the results will be evaluated.

    Annexure A: Control Objectives and Controls:

    Annexure A is the starting point for control objectives and controls, which include 35 control objectives and 114 controls. Depending on the threat and vulnerability, appropriate controls are selected.

    • It is not necessary to select all controls in Annexure A under each control objective category.
    • Approval should be obtained from risk owners for selected controls.
    • Review the list and justification for selected controls (e.g., “based on risk assessment” is sufficient).
    • Ensure that the risk register and Statement of Applicability (SOA) reflect the controls.

    Example of controls not selected:

    • No outsourced software development.
    • No encrypted data.
    • No e-commerce transactions.

    SOA (Statement of Applicability):

    • SOA lists all 114 controls and indicates which have been selected or excluded, with justifications.
    • It should not be prepared before the risk register is ready.

    Key Audit Instruments

    • Documented Information to Review: Risk Assessment Document, Risk Treatment Plan, Metrics Document, Responsibility Matrix, SOA.
    • Audit Questions:
      1. What are your measurement criteria for incident response?
      2. How are resource requirements calculated for achieving the security objective?

    Note: Auditors should understand risks relevant to the organization, the likelihood of security events, and methods to avoid, mitigate, or eliminate risks. They should also focus on identifying opportunities.

    Conclusion

    Managing risk effectively is critical to achieving organizational goals, ensuring compliance, and maintaining continuous improvement. By following standardized processes such as risk identification, analysis, evaluation, and treatment, organizations can make informed decisions to mitigate threats and capitalize on opportunities. Proper planning and adherence to information security objectives, along with the implementation of Annex A controls, play a vital role in ensuring a robust and resilient management system.

    At PopularCert, we are dedicated to helping organizations enhance their risk management processes and achieve ISO certification. Our experienced consultants are ready to guide you through every step of compliance and continuous improvement.

    GET A FREE CONSULTATION NOW
    Contact US

    FAQ

    Risk assessment involves identifying, analyzing, and evaluating risks, while risk treatment focuses on modifying risks through mitigation, avoidance, transfer, or acceptance strategies.

    Documenting security objectives ensures alignment with the organization’s security policy, provides measurable goals, and enables continuous monitoring and improvement of the ISMS.

    It provides a structured framework for risk management, helping organizations mitigate threats, ensure compliance, and enhance resilience.

    Interested in the Cost of ISO Certification?

    Please use the form to reach out for any inquiries, questions, or service requests. Our team is ready to promptly assist you.