Information Security Risk Management for ISO27001/ISO27002

Information Security Risk Management for ISO27001/ISO27002

ALAN CALDER
STEVE G WATKINS
Copyright Date: 2010
Published by: IT Governance Publishing
Pages: 187
https://www.jstor.org/stable/j.ctt5hh7jd
  • Cite this Item
  • Book Info
    Information Security Risk Management for ISO27001/ISO27002
    Book Description:

    The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management. This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

    eISBN: 978-1-84928-044-0
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. ABOUT THE AUTHORS
    (pp. 5-6)
  3. Table of Contents
    (pp. 7-9)
  4. INTRODUCTION
    (pp. 10-15)

    In today’s information economy, the development, exploitation and protection of information assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility. Information security management, defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities’,¹ is becoming a critical corporate discipline, alongside marketing, sales, HR and financial management.

    A key corporate governance objective is to ensure that the organisation...

  5. CHAPTER 1: RISK MANAGEMENT
    (pp. 16-25)

    ‘Risk’, says NIST,¹⁰ is the ‘net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence’.¹¹ ISO27001, the international information security standard, doesn’t define risk, although it does provide definitions for the whole range of risk-related activities. ISO/IEC 27000:2009Information Security Management Systems – Overview and Vocabulary(ISO27000) defines risk in the same way as does ISO Guide 73:2002,¹² which is that risk is the ‘combination of the probability of an event and its occurrence’.

    The NIST definition of risk is in line with that used in ISO27000, and is the first indicator that...

  6. CHAPTER 2: RISK ASSESSMENT METHODOLOGIES
    (pp. 26-41)

    In this book we use the terms ‘method’ and ‘methodology’ interchangeably. A method is (as most standard dictionaries explain) simply a ‘way of doing something’. A method, in other words, will contain principles and procedures, describing both what must be done and how it must be done. A risk assessment methodology, therefore, is a description of the principles and procedures (preferably documented) that describe how information security risks should be assessed and evaluated.

    An effective, defined, ISO27001 information security risk assessment methodology should meet the requirements of ISO27001 and, in doing so, should provide the organisation (particularly its board and...

  7. CHAPTER 3: RISK MANAGEMENT OBJECTIVES
    (pp. 42-53)

    We identified, in Chapter 1, the probability that most organisations already have in place a range of risk assessment approaches, driven perhaps by regulation as much as by the board’s desire to meet its fiduciary duties to shareholders and other stakeholders in the organisation.

    An organisation’s risk acceptance criteria (which we discussed in Chapter 1) are defined in its overall approach to risk management and are contained in its information security policy.

    ISO27001 says that the ISMS policy must ‘align with the organization’s strategic risk management context’ (clause 4.2.1 - b3) or its ERM framework, if it already has one...

  8. CHAPTER 4: ROLES AND RESPONSIBILITIES
    (pp. 54-63)

    Risk management is a process that involves people and, while many of the people involved in this process will already have specific responsibilities inside the organisation, it is important to identify precisely the contribution they are expected to make to the risk management process.

    ISO27005 recommends (clause 7.4) that ‘the organization and responsibilities for the information security risk management process should be set up and maintained’ and, in a footnote, comments that the creation of an organisation capable of carrying out a risk assessment could be regarded as ‘one of the resources required by ISO/IEC 27001.’

    Without senior level management...

  9. CHAPTER 5: RISK ASSESSMENT SOFTWARE
    (pp. 64-78)

    There are software tools that have been designed to assist in risk assessment and, although their use is not mandatory in the standard, it is practically impossible to carry out and maintain a useful risk assessment for an organisation that has more than about four workstations without using such a tool. It is essential that the risk assessment be completed methodically, systematically and comprehensively. An appropriate software tool, designed with ISO27001 in mind and kept up to date in terms of changing information security issues, can be effective in this process.

    This is because the risk assessment is a complex...

  10. CHAPTER 6: INFORMATION SECURITY POLICY AND SCOPING
    (pp. 79-90)

    While risk assessment is the core competence of information security, it is the information security policy and the agreed scope of the ISMS that provide the organisational context within which that risk assessment takes place. The first step in the planning phase for the establishment of an ISMS is the definition of the information security policy. A risk assessment can only be carried out once an information security policy exists to provide context and direction for the risk assessment activity.

    This requirement is set out in clause 4.2.1 of ISO27001³⁷ (and control A.5.1, in Annex A to ISO27001). It is...

  11. CHAPTER 7: THE ISO27001 RISK ASSESSMENT
    (pp. 91-97)

    We’ve already looked at the ISO27001 risk assessment in the context of the ERM framework and in relation to the PDCA cycle. This chapter provides an overview of the steps that ISO27001 specifically requires, identifies some gaps, and introduces the additional best practice guidance available in ISO27002, ISO27005 and BS7799-3:2006 (BS7799).³⁹

    We want to remind readers, at this point, that there is an important difference between a specification and a code of practice. A specification, such as ISO27001, sets out specific requirements which, if followed, will allow a management system to receive a third party certificate of conformity. A code...

  12. CHAPTER 8: INFORMATION ASSETS
    (pp. 98-109)

    The information security policy and the scoping statement, discussed in Chapter 6, describe the boundaries of the ISMS. You have to consider, at a reasonably high level, the information assets that underpin the organisation’s business processes in order to establish the scope of the ISMS. You now return to the subject, but this time the objective is to identify all those assets in detail.

    The first step in meeting the ISO27001 requirements for risk assessments is to identify all the information assets (and ‘assets’ includes information systems – which should be so defined in your information security policy) within the scope...

  13. CHAPTER 9: THREATS AND VULNERABILITIES
    (pp. 110-117)

    The second step in the ISO27001 risk assessment process is to identify the threats to the identified assets. The third step is to identify the vulnerabilities those threats might exploit. Threats and vulnerabilities go together and, for that reason, we are addressing them together in this chapter.

    The difference between ‘threats’ and ‘vulnerabilities’ is not always immediately clear to people new to the subject and, as a risk assessment process is implemented within an organisation, it will not be immediately clear to everyone involved in it. It is very important to always differentiate clearly between these two attributes of a...

  14. CHAPTER 10: IMPACT AND ASSET VALUATION
    (pp. 118-134)

    The successful exploitation of a vulnerability by a threat will have an impact on the asset’s availability, confidentiality or integrity. This may have consequences for the business, in terms of its actual operations, or from a compliance angle, or in relation to a contractual requirement. A single threat could exploit more than one vulnerability and each exploitation could have more than one type of impact. These impacts should all be identified.

    Risk assessment involves identifying the potential business harm that might result from each of these identified impacts. The way to do this is to assess the extent of the...

  15. CHAPTER 11: LIKELIHOOD
    (pp. 135-139)

    Each of the preceding stages of the risk assessment has a relatively high degree of certainty about it. The vulnerabilities should be capable of technical, logical or physical identification. The way in which threats might exploit them should also be mechanically demonstrable. The decisions that have to be made are those that relate to the actions the organisation will take to counter those threats. Before that, however, there needs to be an assessment as to the likelihood of the event, and what the appropriate response to it will be. This means that the actual risks have now to be assessed...

  16. CHAPTER 12: RISK LEVEL
    (pp. 140-146)

    Risk level – the output of the risk equation that we discussed earlier – is a function of impact and likelihood (probability). The final step in the risk assessment exercise is to assess the risk level for each impact and to transfer the details to the corporate asset inventory.

    Three levels of risk assessment are usually adequate: low, medium and high. Where the likely impact is low and the probability is also low, then the risk level could be considered very low. Where the impact is at least high and the probability is also at least high, then the risk level might...

  17. CHAPTER 13: RISK TREATMENT AND THE SELECTION OF CONTROLS
    (pp. 147-158)

    Once you have completed the risk assessment, you can move on to the selection of controls, and this chapter reviews the requirements of ISO27001 around control selection, which is also known as ‘risk treatment’.

    As we said in Chapter 1, there are four risk treatment decisions that can be made:

    accept the risk;

    eliminate the risk by work-around or other arrangements;

    control the risk to bring it to an acceptable level;

    transfer it to a third party (e.g. via insurance)

    The criterion that is used in making the decision is simple: either the risk is within the risk tolerance level,...

  18. CHAPTER 14: THE STATEMENT OF APPLICABILITY
    (pp. 159-163)

    Having conducted the risk assessment and taken decisions regarding the treatment of those assessed risks, the results need to be documented. This produces two documents:

    Statement of Applicability, and

    Risk Treatment Plan.

    The first lists all the controls listed in Annex A of ISO27001 and documents whether or not they have been applied within the ISMS, and also identifies additional controls that have been applied. The second maps the selected treatments (and the measures by which they are to be implemented) to the specific risks they are intended to address and is, in effect, a control implementation plan; we discuss...

  19. CHAPTER 15: THE GAP ANALYSIS AND RISK TREATMENT PLAN
    (pp. 164-167)

    Whilst the Statement of Applicability identifies which of the ISO27001 Appendix A controls (and which, if any, additional controls) are to be implemented, it does not prioritise implementation or provide any guidance for how implementation is to be carried out.

    Of course, it would be logical for the organisation to tackle and implement controls in the order of priority (i.e. ‘very high’ first) identified through the risk assessment. The controls that are most critical for the organisation will be those that relate to the threats and vulnerabilities that it has identified, through the risk assessment process, as being most serious...

  20. CHAPTER 16: REPEATING AND REVIEWING THE RISK ASSESSMENT
    (pp. 168-170)

    Effective risk management is a continuous Plan-Do-Check-Act cycle. This means, of course, that the risk assessment must be regularly revisited. ISO27001 sets out the requirement very clearly: ‘review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks’ taking into account changes in the business environment, to the organisation, to the risks it faces, to the incidents it experiences, to regulatory changes and in the light of the effectiveness of the controls.⁵⁸

    Following the initial, resource-intensive phase of the ‘ISMS implementation’ risk assessment, the organisation’s appetite to repeat the exercise is likely to...

  21. APPENDIX 1: CARRYING OUT AN ISO27001 RISK ASSESSMENT USING vsRISK™
    (pp. 171-180)
  22. APPENDIX 2: ISO27001 IMPLEMENTATION RESOURCES
    (pp. 181-182)
  23. BOOKS BY THE SAME AUTHORS
    (pp. 183-184)
  24. ITG RESOURCES
    (pp. 185-187)