Risikomanagement (IT-Sicherheit)
A systematic process for identifying, assessing, and addressing information security risks. ISO 27001 and NIS2 require a risk-based approach: risks are assessed based on their likelihood of occurrence and impact, and are mitigated through measures to bring them down to an acceptable level.
IT Security Risk Management is the structured approach to managing information security risks. Unlike a rigid list of measures, ISO 27001 asks: "What specific risks does our organization face—and how do we address them?"
The Risk Management Cycle (ISO 27001)
┌─────────────────────────────────────────────────────┐
│ RISK ASSESSMENT │
│ │
│ Define context Identify assets │
│ ↓ ↓ │
│ Threats Vulnerabilities │
│ Identify Identify │
│ ↓ ↓ │
│ └──────── Assess risks ─┘ │
│ ↓ │
│ Risk acceptance? │
└─────────────────────────────────────────────────────┘
↓ (if risk is unacceptable)
┌─────────────────────────────────────────────────────┐
│ RISK TREATMENT │
│ │
│ Avoid │ Reduce │ Transfer │ Accept. │
└─────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────┐
│ MONITORING & REVIEW (continuous) │
└─────────────────────────────────────────────────────┘Step 1: Identify and Classify Assets
Asset Types
Primary Assets (directly valuable):
- Data: Customer data, financial data, IP, employee data
- Processes: Order processing, HR processes
- People: Key employees, administrators
Supporting Assets (enable primary assets):
- IT systems: Servers, workstations, network devices
- Software: ERP, CRM, databases
- Infrastructure: Data center, power supply
Classification (CIA Triad)
Confidentiality: "What happens if this information becomes public?" → Public / Internal / Confidential / Strictly Confidential
Integrity: "What happens if this data is altered?" → Low / Medium / High / Critical
Availability: "What happens if this system goes down for 1 hour/1 day?"
- RTO: Recovery Time Objective
- RPO: Recovery Point Objective
Step 2: Assess Risks
Qualitative Method (5×5 Matrix)
Risk = Probability of Occurrence × Severity of Impact
Probability:
| Value | Level | Frequency |
|---|---|---|
| 1 | Very unlikely | < 1% per year |
| 2 | Unlikely | 1–5% per year |
| 3 | Possible | 5–20% per year |
| 4 | Likely | 20–50% per year |
| 5 | Very likely | > 50% per year |
Impact:
| Value | Level | Significance |
|---|---|---|
| 1 | Negligible | No noticeable consequences |
| 2 | Minor | Minor damage, resolvable internally |
| 3 | Significant | Noticeable impairment, external effort required |
| 4 | Severe | Significant damage, reputational damage |
| 5 | Catastrophic | Threatens existence, risks insolvency |
Risk Level:
| Score | Level | Action |
|---|---|---|
| 1-4 | Low | Accept or address cost-effectively |
| 5-9 | Medium | Address planned |
| 10-16 | High | Immediate action required |
| 17-25 | Critical | Immediate escalation, emergency measures |
Example: Risk Assessment (Excerpt)
ID | Scenario | W | A | Risk | Response
────────────────────────────────────────────────────────────
R01 | Ransomware on file server | 4 | 5 | 20 | Critical → Backup + EDR
R02 | Phishing → CEO fraud | 4 | 3 | 12 | High → Awareness + DMARC
R03 | Insider data theft | 2 | 4 | 8 | Medium → DLP + PAM
R04 | DDoS on web shop | 3 | 3 | 9 | Medium → CDN + Scrubbing
R05 | Physical Data Center Breach | 1 | 5 | 5 | Low → Access Control
R06 | Software Vendor Compromise | 2 | 5 | 10 | High → Vendor AssessmentStep 3: Risk Treatment Options
1. Avoid (Risk Avoidance): The activity or process causing the risk is discontinued. Example: Cloud service in a non-EU country → do not use
2. Reduce (Risk Reduction/Mitigation): Measures lower the probability or impact. Example: MFA → reduces the probability of phishing success; Backup → reduces the impact of ransomware
**3. Risk Transfer: Outsource the risk to a third party. Example: Cyber insurance (transfer impact); outsourcing (partially transfer risk) > Note: Responsibility remains with the company (GDPR!)
4. Risk Acceptance: Conscious decision: The risk is tolerable. Example: Outdated system with CVSS 4.2 in an isolated network Prerequisite: Documented, management informed
Statement of Applicability and Risk Treatment
ISO 27001 Section 6.1.3 links risk assessment with controls. For each of the 93 controls in Annex A, the following is documented:
Control A.8.5 Secure Authentication:
Reference: Risk R02 (Phishing → Credential Compromise)
Applicable: Yes
Justification: We use MS365 with remote access → MFA is critical
Implemented: Yes (2024-11)
Evidence: MFA policy, Azure AD Conditional Access configuration
Control A.7.2 Physical Entry Controls:
Reference: Risk R05 (physical intrusion)
Applicable: Yes (office with server room)
Implemented: Partially (access secured, but no logging)
Action: Implement logging by 2026-06Risk Acceptance and Risk Appetite
Define Risk Acceptance Threshold
Sample Company Policy: > "Risks with a score > 12 are not accepted. All risks > 12 must be reduced to ≤ 12 through mitigation measures."
Requirements for Accepted Risks
Accepted risks must:
- Be documented (date, justification)
- Be approved by management (CEO signature)
- Be reviewed regularly (at least annually)
- Be accepted only temporarily (with a target date for resolution)
Sample Form:
| Field | Content |
|---|---|
| Risk ID | R15 |
| Description | Legacy system XY without patch support |
| Risk Score | 15 (HIGH) |
| Accepted until | 2027-01 (replacement planned) |
| Reason | Cost of replacement > potential damage during transition period |
| Mitigation | Network segmentation, increased monitoring |
| Approved by | Max Muster, CEO (Date) |
Continuous Risk Management
When must the risk assessment be revised?
Event-driven:
- New technologies or services introduced
- Organizational changes (acquisition, restructuring)
- Security incident occurred
- New regulatory requirements (NIS2, GDPR amendment)
- New threat landscapes (new malware families, APT reports)
- Results of the internal audit
Regularly (at least):
- Annual review of all risks (ISO 27001 requirement)
- Quarterly: Incorporate new threats?
- Management Review: Executive Board receives annual risk overview
KPIs for Risk Management
- Number of open critical risks
- % of risks addressed according to plan
- Average resolution time
- Number of accepted risks > risk appetite (exceptions)
