Information Security Risk Management

Information security risk management

Information security risk is treated as a discipline in its own right because the questions it asks are different from those of general business risk. The strategic register asks what could affect the organisation. Information security risk asks which information assets the organisation holds, what threats could compromise their confidentiality, integrity or availability, and which vulnerabilities those threats could exploit. The structured asset, threat and vulnerability (ATV) approach is what ISO 27001 expects and what the Statement of Applicability is built on.

The same approach is useful even where ISO 27001 certification is not in scope. Any organisation handling information of value - customer data, financial records, intellectual property, internal communications - benefits from thinking through information security risk in this structured way rather than relying on general risk thinking alone.

Confidentiality, integrity, availability

The three properties of information that information security tries to protect are usually summarised as the CIA triad:

Confidentiality - information is accessible only to those authorised to see it
Integrity - information is accurate, complete and has not been altered without authorisation
Availability - information is accessible when authorised users need it

An incident can affect any combination of these. A ransomware attack typically affects availability (encrypted files cannot be accessed) and may affect confidentiality (data exfiltration). A staff member entering wrong figures affects integrity. A phishing attack that exposes login credentials affects confidentiality and may set up a future attack on integrity or availability.

Each consequence column in the information security register considers all three. A risk that affects only one property has a different profile from one that affects all three, and the controls that address each are usually different.

The asset, threat and vulnerability approach

The structured ATV approach has three steps that work together.

Step one - identify information assets. What information does the organisation hold that has value. Customer personal data, financial records, employee information, intellectual property, supplier contracts, source code, configuration data, system logs, backup data, business continuity plans. The assets include the information itself, the systems that hold it, and the people who handle it. Some organisations build a formal asset inventory; others maintain a more focused register of significant information assets. Either works provided the assets relevant to the organisation are captured.

Step two - identify threats. What could happen to compromise each asset. External threats include malware, phishing, hacking, denial of service, supply chain attacks, social engineering, theft of devices. Internal threats include accidental disclosure, error, malicious insider action, weak processes. Environmental threats include fire, flood, power loss, hardware failure. Threats are not specific to assets - the same threats apply to multiple assets - but the relevance and impact differ.

Step three - identify vulnerabilities. What weaknesses in current controls would allow each threat to materialise. Unpatched software, weak passwords, unencrypted devices, lack of access controls, insufficient training, poor backup processes, single points of failure, missing monitoring. Vulnerabilities are specific to the organisation's current state and are the most actionable part of the analysis - they translate directly into controls that can be added or strengthened.

The combination tells the story: this asset is at risk from this threat because of this vulnerability. The risk rating reflects the likelihood of the threat materialising given the vulnerability, and the consequence reflects the impact on the asset's confidentiality, integrity or availability.

Threat intelligence

Effective information security risk management depends on knowing which threats are active in the wider environment. A risk register based on threats from five years ago does not reflect today's exposure. Threat intelligence is the discipline of staying informed about current and emerging threats so the register stays relevant.

Practical sources of threat intelligence include:

National cyber security agencies - in the UK the National Cyber Security Centre (NCSC) publishes threat reports, sector advisories and incident summaries
Industry-specific information sharing groups - many sectors have formal or informal forums where members share threat information
Vendor security advisories - the makers of software, hardware and services the organisation uses publish vulnerability information that is directly relevant
News of incidents at peer organisations - patterns in industry incidents often signal threats the organisation should consider
Internal incident logs - the organisation's own incident history is the most directly relevant intelligence available

Threat intelligence does not need to be elaborate. A defined source list, a regular review cycle (monthly is common), and a route into the risk register for new threats that emerge is sufficient for most organisations. Larger organisations or those in particularly exposed sectors may have a dedicated threat intelligence function.

Scoring information security risk

Information security risk uses the same likelihood and consequence approach as other risks, with the levels framed for the discipline:

Likelihood reflects the probability that the threat will materialise given the current vulnerability state. Threats that are common in the wider environment, against which the organisation has weak controls, score high. Threats that are rare or against which the organisation has strong controls score low.

Consequence reflects the impact on confidentiality, integrity and availability if the threat materialises. The impact is on the information asset, but it cascades to the wider business - regulatory penalties, customer harm, operational disruption, reputational damage, contractual breach.

The 3 by 3 matrix used elsewhere applies here too, with Tolerable, Moderate and Substantial bands. The same residual rating logic applies - controls reduce the rating, and where the residual stays Substantial, further treatment is required.

Treatment options for information security

The four treatment options - avoid, reduce, transfer, accept - all apply to information security risk, with specific patterns common to the discipline.

Avoid - decide not to handle a particular type of information, not to use a particular system, not to take on a contract requiring data the organisation cannot adequately protect. Avoidance is real and used more in information security than people sometimes realise. Declining to store payment card data and using a third-party processor instead is an avoidance pattern.

Reduce - the most common treatment. Add controls that reduce likelihood or consequence. ISO 27001 Annex A provides a structured set of controls covering organisational, people, physical and technological measures. The Statement of Applicability records which controls are in place and which are not, with justification for either decision.

Transfer - cyber insurance has become more common but coverage is increasingly restricted. Contractual transfer to suppliers (data processors, cloud providers) shifts some operational impact but does not transfer accountability for personal data under data protection law.

Accept - residual risks where further treatment is not cost-effective or technically feasible. Acceptance decisions for information security need senior approval because data protection accountability sits at top management level.

The Statement of Applicability

The Statement of Applicability (SoA) is the document that connects information security risk to specific controls. It lists the controls from ISO 27001 Annex A, records which the organisation applies, and justifies each decision - either why a control is needed (linked to specific risks on the register) or why it is not relevant.

The SoA is one of the documents an external auditor will look at first. It tells them what the organisation has committed to and what it has chosen to leave out, both of which inform the audit. A SoA that includes every control without thought is as much of a flag as one that excludes too many - the discipline is in the reasoning, not the list.

Annex A in ISO 27001:2022 contains 93 controls grouped under organisational, people, physical and technological themes. The 2022 update reduced and reorganised the controls compared to the 2013 version; organisations using older SoAs need to update to the 2022 structure.

Connecting to the strategic register

Information security risks live primarily on the dedicated information security register, but their strategic implications belong on the strategic risks register too. A specific operational vulnerability sits on the security register; the wider business risk - regulatory exposure, customer impact, reputational damage - usually warrants a corresponding strategic entry.

The cross-reference works in both directions. Strategic risks identified during management review or context analysis may surface information security exposures that need to be assessed in detail. Information security risks at the operational level may have aggregate strategic significance that the strategic register should reflect.

The two registers do not replicate the same content. They cover the same exposure at different levels of detail and from different perspectives. Keeping them aligned is part of the work of a coherent management system.

Reviewing information security risk

Information security risk changes faster than most other risk categories. New vulnerabilities are disclosed regularly, new threat patterns emerge constantly, and the organisation's own asset base changes as it adopts new systems and retires old ones. The review cycle needs to reflect that pace.

Practical patterns include:

Continuous capture of new threats and vulnerabilities as they are identified through threat intelligence, vulnerability scanning, audit findings or incidents
Quarterly or six-monthly formal review of the register as a whole, ratings reassessed, controls verified, closed risks marked
Annual review at management review under Clause 9.3, with effectiveness of treatment evaluated
Triggered review after significant incidents, major change in the technology estate, or new types of information being handled

Where the register is owned by a small information security function, the review cycle can run in lockstep with vulnerability management and patch management. The disciplines reinforce each other.

For ISO 27001 audits I look first at the asset register and the Statement of Applicability. Are the assets that matter actually listed. Are the controls in the SoA actually in place. The risk register links the two - this asset is at risk from this threat because of this vulnerability, addressed by this control.

The most common finding is a register that lists generic threats without the asset/vulnerability specifics. Saying ransomware is a risk does not tell me anything useful. Saying that customer data on the file servers is at risk from ransomware because the backup process has not been tested in two years is a real risk entry I can verify.

The big shift for clients new to ISO 27001 is moving from generic risk thinking to the structured asset/threat/vulnerability approach. It feels more rigorous because it is. The benefit is that the controls then map naturally - each control addresses specific vulnerabilities for specific assets, and you can see which controls would lapse if you removed them.

Information security risk management without an asset list is just guessing. List what you have, work out what could happen to it, decide what to do. The structure works because the discipline forces specifics.

Practical Compliance Guidance

IMS1 Section 1.6 covers risk-based thinking and references the dedicated information security register for ISO 27001 work. The information security risk register sits alongside the strategic register; the two work together with cross-references where strategic and operational implications meet.

The alphaZ documents below cover the information security risk discipline end-to-end - the dedicated register, the threat intelligence input, the strategic register where strategic implications surface, and the issues and actions register where treatment work is tracked.

alphaZ document	How to use it
ISO 9001/14001/45001 IMS Toolkit	Integrated toolkit including IMS1 and the strategic register. Suitable where ISO 27001 sits alongside other standards in an integrated management system.
ER15 Information Security Risks Register	The dedicated information security register. Includes a threat intelligence sheet for capturing emerging threats and the asset/threat/vulnerability structure with treatment options for each entry.
F-IMS23 Opportunities and Risks Register	The strategic register. Information security risks with strategic implications surface here alongside other strategic risks.
ER1 Issues and Actions Register	Tracks information security treatment actions through to closure - control implementation, vulnerability remediation, incident follow-up.
F-Q3 Management Review	Management review form which evaluates information security risk treatment effectiveness as a required input under Clause 9.3.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need a separate information security register from the strategic register?

For ISO 27001, yes - the asset/threat/vulnerability approach is structured differently from general business risk. The two registers work together with cross-references. For organisations not pursuing ISO 27001 certification but with significant information security exposure, a separate register is still recommended because the discipline is different from general business risk.

How detailed should the asset inventory be?

Detailed enough to support meaningful risk assessment, but not so detailed that maintenance becomes a burden. Most organisations work at the level of significant information assets - customer database, finance system, source code repository, supplier records - rather than at the level of individual files. The point is to identify what matters, not to catalogue every byte.

What is the difference between Annex A controls and the risk treatment options?

The four treatment options - avoid, reduce, transfer, accept - are the high-level decision. Annex A provides the specific controls that implement reduction. When a treatment decision is to reduce, the Statement of Applicability shows which Annex A controls are being applied. The two work together - the treatment decision is the strategy, Annex A is the toolkit.

How do we keep up with new threats?

A defined threat intelligence cycle - sources, frequency, route into the register. The UK National Cyber Security Centre publishes accessible advisories suitable for most organisations. Vendor security alerts for the systems the organisation uses are essential. Industry-specific information sharing groups, where they exist, provide context relevant to the sector. The cycle does not need to be elaborate; it needs to be regular and lead to register updates.

How does information security risk relate to data protection?

Closely. UK GDPR requires "appropriate technical and organisational measures" to protect personal data, which is effectively a risk-based information security requirement. The information security risk register feeds into data protection compliance, and personal data is one of the most important asset types on the register. Data Protection Impact Assessments under UK GDPR draw on the same risk thinking.

UK Legislation relevant to information security risk

UK law sets specific information security expectations through data protection legislation, sector-specific rules, and computer misuse offences. Organisations operating internationally face additional requirements - the EU GDPR, US state privacy laws, sector-specific frameworks - which affect what information security risk treatment looks like.

Further Resources