Risk assessments are at the heart of ISO 27001, but they often have a reputation for being time-consuming and difficult.
But how long should the risk assessment process take? The answer depends on which tool you use.
Risk assessment tools
Some organisations go for a no- or low-cost approach, using spreadsheets to tackle their ISO 27001 risk assessment.
Although this is at first glance most economical route, it will take the longest amount of time. That’s because you have to create a structure that’s appropriate to your organisation and enter the information manually.
With this approach, you can expect to spend about one week planning the risk assessment. It will take another day per risk owner or asset owner to enter the relevant information, and a further week to complete the risk assessment.
Finally, you must review the results of the risk assessment, which can take up to four weeks, bringing the total length of time to 40 days.
By comparison, those who use the risk assessment tool vsRisk can complete the process in as little as eight days.
Its built-in library of risks and assets speeds up the time it takes to plan and perform the assessment – and it drastically cuts the length of review process.
Won’t it cost more?
The opposite might actually be true. Depending on the scale of your project, a vsRisk project can cost you as little as £49.95 a month.
If you aren’t using our software but want the same assurance that your risk assessment has been completed in line with ISO 27001’s requirements, you will need to hire an ISO 27001 lead risk assessor, which will cost several thousand pounds.
Even if you don’t hire a professional, the manhours it would take to complete the process manually makes vsRisk an attractive alternative.
To help you make your choice, we’re currently offering a free two-week trial of vsRisk.
You can get to grips with its built-in library of risks and controls, track and manage key threats and generate reports, including the risk treatment plan.
A version of this blog was originally published on 12 March 2019.
FAQs
Finally, you must review the results of the risk assessment, which can take up to four weeks, bringing the total length of time to 40 days.
How long does an ISO 27001 audit take? ›
The certification audit process can take 2-3 months and is broken down into two stages. During Stage 1 audits, the auditor reviews ISMS documentation to make sure policies and procedures are designed properly. They may also make suggestions for how the organization can improve its ISMS to make it more secure.
How long does a security risk assessment take? ›
The time necessary to complete a security risk assessment can range from several days to several weeks or months. Several factors impact the time it takes to conduct a risk assessment, including: The scope of the assessment. The size of your organization and the number of systems involved.
How long does IT take to complete a risk assessment? ›
How long does a risk assessment take to complete? The average risk assessment is completed in a focused, 3-5 day assessment, then followed by the delivery of a risk assessment report.
What is the risk assessment standard for ISO 27001? ›
The ISO 27001 standard outlines four possible actions: Treat the risk with security controls that reduce the likelihood it will occur. Avoid the risk by preventing the circ*mstances where it could occur. Transfer the risk with a third party (i.e., outsource security efforts to another company, purchase insurance, etc.)
How long does it take to implement ISO 27001? ›
The timeline for implementing ISO 27001 for SMEs can vary depending on several factors, such as the size of the organization, the scope of the project, and the availability of resources. However, with proper planning and execution, organisations can typically implement ISO 27001 anywhere between 2-12 months.
How long does ISO take? ›
ISO certification is a multi-step process that generally takes a minimum of six months to a year from implementation to registration.
How long does risk take on average? ›
Risk (game)
| A game of Risk being played |
|---|
| Players | 2–6 |
| Setup time | 5–15 minutes |
| Playing time | 1–8 hours |
| Chance | Medium (5–6 dice, cards) |
6 more rowsCompanies should review their risk assessments and risk management practices once every 3 years, or: Whenever there to any significant changes to workplace processes or design. Whenever new machinery, substances or procedures are introduced. Whenever there is an injury or incident as a result of hazard exposure.
How long does security testing take? ›
Generally speaking, four to six weeks is a good estimate for the duration of the entire engagement from planning through final delivery. The actual test itself typically varies from one to two weeks depending on the size of the environment.
- The Health and Safety Executive's Five steps to risk assessment.
- Step 1: Identify the hazards.
- Step 2: Decide who might be harmed and how.
- Step 3: Evaluate the risks and decide on precautions.
- Step 4: Record your findings and implement them.
- Step 5: Review your risk assessment and update if. necessary.
Risk Assessments are the staple of Health and Safety, legally required, and must be documented in organisations with more than 5 staff. Risk Assessments are really easy to complete and can make the difference between a serious fine and a pat on the back.
How long should risk assessments be kept? ›
There is no set amount of time that you are required to retain the risk assessment, but it is best practice to keep it as long as is considered relevant to a particular task or activity. Risk assessments are an integral part of ensuring the health, safety and wellbeing of everyone within the workplace.
What is ISO 27001 gap assessment? ›
An ISO 27001 gap analysis provides a high-level overview of what needs to be done to achieve certification and enables you to assess and compare your organisation's existing information security arrangements against the requirements of ISO 27001.
What is the ISO 27001 compliance level? ›
While an organization can choose to implement the ISO 27001 framework without undergoing formal certification, “ISO 27001 compliant” generally refers to an organization that has been independently audited and certified to meet all the requirements of the standard. Compliance must be maintained on a continual basis.
What is the ISO standard for risk assessments? ›
ISO 31000, Risk management – Guidelines, provides principles, a framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.
How many days does ISO audit take? ›
For most small or medium businesses, the Stage 1 Audit will be completed on-site within one day. The Stage 2 ISO 9001 Audit is usually longer.
What to expect during an ISO 27001 audit? ›
An ISO 27001 audit involves a competent and objective auditor reviewing: The ISMS or elements of it and testing that it meets the standard's requirements, The organisation's own information requirements, objectives for the ISMS, That the policies, processes, and other controls are practical and efficient.
How much does an ISO 27001 audit cost? ›
The price will vary based on the auditor you hire, how complex your ISMS is, and other factors. If you expect your audit to be more time-intensive, it will likely also cost more. Expect the price to be in the $14,000-$16,000 range.
How long is the ISO 27001 lead auditor exam? ›
Corporate Group Training
| ISO 27001 Lead Auditor Exam Format |
|---|
| Exam Format | Multiple Choice |
| Total Questions | 20 Questions |
| Passing Score | 70% marks |
| Exam Duration | 2 hours |
1 more row