1 00:00:04,790 --> 00:00:07,839 [Music] 2 00:00:07,839 --> 00:00:10,639 What is information security risk? 3 00:00:10,639 --> 00:00:12,719 Information security risk is simply a 4 00:00:12,719 --> 00:00:14,639 combination of the impact that could 5 00:00:14,639 --> 00:00:16,880 result from a threat compromising one of 6 00:00:16,880 --> 00:00:19,600 your important information assets and 7 00:00:19,600 --> 00:00:22,000 the likelihood of this happening. 8 00:00:22,000 --> 00:00:25,519 Risk Management In ISO 27001 9 00:00:25,519 --> 00:00:28,800 ISO 27001 requires that you implement a 10 00:00:28,800 --> 00:00:31,279 management system to help you manage the 11 00:00:31,279 --> 00:00:33,440 security of your important information 12 00:00:33,440 --> 00:00:34,480 assets. 13 00:00:34,480 --> 00:00:36,480 The backbone of this is formed from the 14 00:00:36,480 --> 00:00:38,480 need to develop and implement an 15 00:00:38,480 --> 00:00:40,960 appropriate and effective information 16 00:00:40,960 --> 00:00:44,640 security risk management methodology. 17 00:00:44,640 --> 00:00:48,079 ISO 27001 Risk Management 18 00:00:48,079 --> 00:00:50,079 You should develop and implement a risk 19 00:00:50,079 --> 00:00:52,000 management methodology which allows you 20 00:00:52,000 --> 00:00:54,399 to identify your important information 21 00:00:54,399 --> 00:00:57,120 assets and to determine why they need 22 00:00:57,120 --> 00:00:58,640 protecting. 23 00:00:58,640 --> 00:01:00,640 It is important to note here that when 24 00:01:00,640 --> 00:01:03,199 information security is mentioned, people 25 00:01:03,199 --> 00:01:04,920 immediately start thinking about 26 00:01:04,920 --> 00:01:07,280 confidentiality aspects, but the 27 00:01:07,280 --> 00:01:10,320 availability and integrity aspects also 28 00:01:10,320 --> 00:01:12,640 need to be taken into consideration 29 00:01:12,640 --> 00:01:14,799 as these are important components of 30 00:01:14,799 --> 00:01:17,119 information security. 31 00:01:17,119 --> 00:01:19,040 Once this has been achieved, your 32 00:01:19,040 --> 00:01:21,360 methodology needs to be able to identify 33 00:01:21,360 --> 00:01:23,920 the likelihood of something going wrong 34 00:01:23,920 --> 00:01:26,080 and what can be done to mitigate this 35 00:01:26,080 --> 00:01:27,040 risk. 36 00:01:27,040 --> 00:01:29,840 In a nutshell, it enables you to quantify 37 00:01:29,840 --> 00:01:31,920 the impact and the likelihood elements 38 00:01:31,920 --> 00:01:34,640 of information security risk and then go 39 00:01:34,640 --> 00:01:38,079 on to do something about it. 40 00:01:38,079 --> 00:01:42,640 ISO 27001 Risk Management Framework 41 00:01:42,640 --> 00:01:44,720 There are several discrete stages of an 42 00:01:44,720 --> 00:01:48,720 ISO 27001 risk management methodology. 43 00:01:48,720 --> 00:01:50,240 First of all, it is important to 44 00:01:50,240 --> 00:01:52,159 understand the information security 45 00:01:52,159 --> 00:01:54,720 context of your organization. 46 00:01:54,720 --> 00:01:56,719 Once this has been achieved, you can 47 00:01:56,719 --> 00:01:59,200 perform a risk assessment which includes 48 00:01:59,200 --> 00:02:01,840 the need to identify your risks, 49 00:02:01,840 --> 00:02:04,880 analyze them, and evaluate them. 50 00:02:04,880 --> 00:02:06,880 You then need to determine a suitable 51 00:02:06,880 --> 00:02:08,399 treatment for the risks you have 52 00:02:08,399 --> 00:02:10,639 assessed and then implement that 53 00:02:10,639 --> 00:02:11,840 treatment. 54 00:02:11,840 --> 00:02:14,480 It is vitally important that you do not 55 00:02:14,480 --> 00:02:17,040 see this as a one-off exercise. 56 00:02:17,040 --> 00:02:18,879 Your risk management methodology should 57 00:02:18,879 --> 00:02:21,040 be designed to be iterative. 58 00:02:21,040 --> 00:02:23,200 This enables you to not only review the 59 00:02:23,200 --> 00:02:25,280 status of risks you have previously 60 00:02:25,280 --> 00:02:28,000 identified, taking into consideration any 61 00:02:28,000 --> 00:02:30,879 potential changes in context, but it also 62 00:02:30,879 --> 00:02:34,160 enables you to identify new risks. 63 00:02:34,160 --> 00:02:36,160 The high level stages of a risk 64 00:02:36,160 --> 00:02:38,239 management methodology, as described 65 00:02:38,239 --> 00:02:40,160 above, should be thought of as a 66 00:02:40,160 --> 00:02:42,640 framework that enables risk management 67 00:02:42,640 --> 00:02:44,800 to be embedded within key processes 68 00:02:44,800 --> 00:02:46,959 throughout your organization 69 00:02:46,959 --> 00:02:49,040 so that any identified risks are 70 00:02:49,040 --> 00:02:50,560 comparable. 71 00:02:50,560 --> 00:02:54,480 ISO 27001 Risk Management Context 72 00:02:54,480 --> 00:02:56,239 The first stage of your risk management 73 00:02:56,239 --> 00:02:58,560 methodology needs to identify what is 74 00:02:58,560 --> 00:03:00,720 important to you or your organization 75 00:03:00,720 --> 00:03:02,640 from an information security point of 76 00:03:02,640 --> 00:03:03,760 view. 77 00:03:03,760 --> 00:03:06,959 ISO 27001 requires you to determine the 78 00:03:06,959 --> 00:03:09,280 context of your organization. 79 00:03:09,280 --> 00:03:10,959 Part of which means that you need to be 80 00:03:10,959 --> 00:03:12,640 able to identify the information 81 00:03:12,640 --> 00:03:15,200 security related issues that you face 82 00:03:15,200 --> 00:03:17,680 along with who the internal and external 83 00:03:17,680 --> 00:03:20,000 interested parties are and what their 84 00:03:20,000 --> 00:03:22,560 needs and expectations are. 85 00:03:22,560 --> 00:03:24,799 It is important to also understand what 86 00:03:24,799 --> 00:03:27,440 your risk appetite is at this stage as 87 00:03:27,440 --> 00:03:30,400 we will need this information later. 88 00:03:30,400 --> 00:03:32,239 Once you have done this, you are able to 89 00:03:32,239 --> 00:03:34,239 determine what is important about the 90 00:03:34,239 --> 00:03:36,319 different information assets under your 91 00:03:36,319 --> 00:03:37,680 control. 92 00:03:37,680 --> 00:03:41,440 ISO 27001 Risk Management What Is Risk 93 00:03:41,440 --> 00:03:43,519 Appetite? 94 00:03:43,519 --> 00:03:45,920 Risk appetite is simply the amount and 95 00:03:45,920 --> 00:03:48,239 type of risk you are willing to accept 96 00:03:48,239 --> 00:03:49,519 or retain 97 00:03:49,519 --> 00:03:51,760 in order to allow business operations to 98 00:03:51,760 --> 00:03:53,120 proceed. 99 00:03:53,120 --> 00:03:55,120 This is important because too much 100 00:03:55,120 --> 00:03:57,280 security can sometimes compromise your 101 00:03:57,280 --> 00:04:00,560 operational viability, whereas too little 102 00:04:00,560 --> 00:04:02,239 will reduce the confidence of your 103 00:04:02,239 --> 00:04:04,000 stakeholders. 104 00:04:04,000 --> 00:04:06,080 Some types of organizations are willing 105 00:04:06,080 --> 00:04:08,720 to accept more risk than others. 106 00:04:08,720 --> 00:04:10,799 For example, a hedge fund manager is 107 00:04:10,799 --> 00:04:12,879 likely to take more risk in order to 108 00:04:12,879 --> 00:04:15,200 make greater profits over a short space 109 00:04:15,200 --> 00:04:18,160 of time, whereas a pension fund manager 110 00:04:18,160 --> 00:04:20,639 generally prefers a less risky, steady 111 00:04:20,639 --> 00:04:22,960 growth approach. 112 00:04:22,960 --> 00:04:26,880 ISO 27001 Risk Assessment Methodology 113 00:04:26,880 --> 00:04:28,960 Risk Identification 114 00:04:28,960 --> 00:04:31,199 Once you have determined the context, you 115 00:04:31,199 --> 00:04:32,960 can go ahead and conduct a risk 116 00:04:32,960 --> 00:04:34,160 assessment. 117 00:04:34,160 --> 00:04:36,000 The first part of a risk assessment is 118 00:04:36,000 --> 00:04:38,720 to identify the risks that you face. 119 00:04:38,720 --> 00:04:40,479 This can be broken down into three 120 00:04:40,479 --> 00:04:42,639 elements. The first element is to 121 00:04:42,639 --> 00:04:45,360 identify your information assets. An 122 00:04:45,360 --> 00:04:47,280 information asset is any information 123 00:04:47,280 --> 00:04:49,120 that has value to you. 124 00:04:49,120 --> 00:04:50,720 There are several different ways to 125 00:04:50,720 --> 00:04:53,199 calculate the value of an asset but it 126 00:04:53,199 --> 00:04:55,120 is important that you not only consider 127 00:04:55,120 --> 00:04:56,800 the confidentiality needs of the 128 00:04:56,800 --> 00:04:59,680 information, but also the integrity and 129 00:04:59,680 --> 00:05:02,160 availability requirements. 130 00:05:02,160 --> 00:05:03,600 The second element of risk 131 00:05:03,600 --> 00:05:06,320 identification is threat analysis. You 132 00:05:06,320 --> 00:05:08,160 need to have a process which enables you 133 00:05:08,160 --> 00:05:10,400 to identify all of the threats which are 134 00:05:10,400 --> 00:05:11,919 applicable to the assets you have 135 00:05:11,919 --> 00:05:13,520 identified. 136 00:05:13,520 --> 00:05:15,600 If a particular threat is applicable 137 00:05:15,600 --> 00:05:17,680 then it is also a good idea to think 138 00:05:17,680 --> 00:05:19,840 about how probable it is that the threat 139 00:05:19,840 --> 00:05:21,520 will materialize. 140 00:05:21,520 --> 00:05:23,600 For example, if you use Windows based 141 00:05:23,600 --> 00:05:25,360 computer systems which are connected 142 00:05:25,360 --> 00:05:27,840 somehow to the internet, the probability 143 00:05:27,840 --> 00:05:30,000 of them being affected by a virus is 144 00:05:30,000 --> 00:05:32,400 probably very high if you do nothing to 145 00:05:32,400 --> 00:05:33,440 stop it. 146 00:05:33,440 --> 00:05:35,280 Whereas if you are using an apple mac 147 00:05:35,280 --> 00:05:37,520 which is never connected to the internet, 148 00:05:37,520 --> 00:05:40,479 the probability is very low. 149 00:05:40,479 --> 00:05:42,720 The third element of risk identification 150 00:05:42,720 --> 00:05:44,400 is the need to determine if there are 151 00:05:44,400 --> 00:05:46,160 any vulnerabilities that would allow a 152 00:05:46,160 --> 00:05:48,320 threat that you have identified to cause 153 00:05:48,320 --> 00:05:50,639 an impact on your asset. 154 00:05:50,639 --> 00:05:52,479 To carry on with the example we have 155 00:05:52,479 --> 00:05:54,960 just used, if you have an antivirus 156 00:05:54,960 --> 00:05:57,520 system installed and running on your 157 00:05:57,520 --> 00:06:00,240 Internet-connected windows computers, you 158 00:06:00,240 --> 00:06:02,080 are less vulnerable to this particular 159 00:06:02,080 --> 00:06:04,960 threat than if you didn't. 160 00:06:04,960 --> 00:06:08,880 ISO 27001 Risk Assessment Methodology 161 00:06:08,880 --> 00:06:11,039 Risk Analysis 162 00:06:11,039 --> 00:06:13,120 One of the useful aspects of the output 163 00:06:13,120 --> 00:06:15,440 from an effective risk assessment is the 164 00:06:15,440 --> 00:06:18,560 ability to prioritize your risks. This is 165 00:06:18,560 --> 00:06:20,639 important as you may not have sufficient 166 00:06:20,639 --> 00:06:22,960 resources to fully mitigate every risk 167 00:06:22,960 --> 00:06:24,800 that you identify. 168 00:06:24,800 --> 00:06:26,479 This means that it is important to 169 00:06:26,479 --> 00:06:28,800 somehow quantify your risks. 170 00:06:28,800 --> 00:06:31,600 To do this, we need to know two things. 171 00:06:31,600 --> 00:06:33,520 First, how much of an impact would be 172 00:06:33,520 --> 00:06:36,319 felt if a compromise occurred? And second, 173 00:06:36,319 --> 00:06:38,319 what is the likelihood of that threat 174 00:06:38,319 --> 00:06:39,680 occurring? 175 00:06:39,680 --> 00:06:42,000 One good idea is to use a set of scales 176 00:06:42,000 --> 00:06:44,720 to record values in these areas. 177 00:06:44,720 --> 00:06:47,520 For example, using a scale of one to five, 178 00:06:47,520 --> 00:06:49,680 we could say how impactful it would be 179 00:06:49,680 --> 00:06:51,840 if the confidentiality of an asset were 180 00:06:51,840 --> 00:06:53,039 breached. 181 00:06:53,039 --> 00:06:54,960 Clearly breaches of confidentiality 182 00:06:54,960 --> 00:06:56,960 would cause a greater impact for some 183 00:06:56,960 --> 00:07:00,400 assets, for example, hr records, than 184 00:07:00,400 --> 00:07:03,520 others like the staff canteen menu. 185 00:07:03,520 --> 00:07:05,680 A second one to five scale could be used 186 00:07:05,680 --> 00:07:07,680 to determine the likelihood of a breach 187 00:07:07,680 --> 00:07:09,759 occurring and we would take into 188 00:07:09,759 --> 00:07:11,120 consideration the threat and 189 00:07:11,120 --> 00:07:13,280 vulnerability information we spoke about 190 00:07:13,280 --> 00:07:16,400 earlier in order to do this. 191 00:07:16,400 --> 00:07:20,160 ISO 27001 Risk Assessment Methodology 192 00:07:20,160 --> 00:07:22,160 Risk Evaluation 193 00:07:22,160 --> 00:07:24,400 Risk evaluation is a relatively simple 194 00:07:24,400 --> 00:07:26,720 process as it requires you to identify 195 00:07:26,720 --> 00:07:28,400 whether or not the risk that you have 196 00:07:28,400 --> 00:07:32,080 identified is above or below appetite. 197 00:07:32,080 --> 00:07:34,000 To do this, the first thing we need to do 198 00:07:34,000 --> 00:07:36,000 is calculate the value of the risk which 199 00:07:36,000 --> 00:07:38,160 simply means multiplying the impact and 200 00:07:38,160 --> 00:07:40,880 likelihood values together. 201 00:07:40,880 --> 00:07:42,880 We have a range of possible values which 202 00:07:42,880 --> 00:07:45,280 result from multiplying the two one to 203 00:07:45,280 --> 00:07:47,599 five scales together. 204 00:07:47,599 --> 00:07:49,520 The appetite is stated within the 205 00:07:49,520 --> 00:07:51,680 methodology as a particular value on the 206 00:07:51,680 --> 00:07:53,680 five by five matrix. 207 00:07:53,680 --> 00:07:56,160 If a particular risk is above this value, 208 00:07:56,160 --> 00:07:58,479 then it is above appetite which means 209 00:07:58,479 --> 00:08:00,000 that it can then be flagged for 210 00:08:00,000 --> 00:08:01,120 treatment. 211 00:08:01,120 --> 00:08:03,919 Anything below appetite can be accepted 212 00:08:03,919 --> 00:08:07,120 and monitored for change. 213 00:08:07,120 --> 00:08:11,599 ISO 27001 Risk Treatment Methodology 214 00:08:11,599 --> 00:08:13,520 Your risk management methodology needs 215 00:08:13,520 --> 00:08:15,759 to include a methodology for determining 216 00:08:15,759 --> 00:08:17,840 the most appropriate treatment for the 217 00:08:17,840 --> 00:08:20,240 risks that you have identified. 218 00:08:20,240 --> 00:08:22,080 There are four possible treatments to 219 00:08:22,080 --> 00:08:25,520 choose from. These are accept, reduce, 220 00:08:25,520 --> 00:08:26,400 transfer, 221 00:08:26,400 --> 00:08:27,840 and avoid. 222 00:08:27,840 --> 00:08:29,759 You may come across different terms used 223 00:08:29,759 --> 00:08:31,759 for these such as tolerate, treat, 224 00:08:31,759 --> 00:08:34,399 transfer, and terminate. This example is 225 00:08:34,399 --> 00:08:37,039 known as the 4Ts', however they take 226 00:08:37,039 --> 00:08:39,760 the same approach. 227 00:08:39,760 --> 00:08:43,519 ISO 27001 Risk Treatment Methodology 228 00:08:43,519 --> 00:08:46,640 Accept or Tolerate 229 00:08:46,640 --> 00:08:48,399 One of the four treatments provides you 230 00:08:48,399 --> 00:08:50,959 with the ability to accept risk. 231 00:08:50,959 --> 00:08:52,560 We have already seen that this is 232 00:08:52,560 --> 00:08:54,240 possible as it is likely that you will 233 00:08:54,240 --> 00:08:56,320 simply accept risks that are below 234 00:08:56,320 --> 00:08:57,600 appetite. 235 00:08:57,600 --> 00:08:59,600 However, you can also make an informed 236 00:08:59,600 --> 00:09:01,920 decision to accept risks in certain 237 00:09:01,920 --> 00:09:04,160 circumstances, such as where there is a 238 00:09:04,160 --> 00:09:06,080 legal requirement preventing you from 239 00:09:06,080 --> 00:09:08,320 taking the desired action or you have 240 00:09:08,320 --> 00:09:11,120 insufficient resources to do so. 241 00:09:11,120 --> 00:09:12,880 These cases should be few and far 242 00:09:12,880 --> 00:09:14,480 between though and should always be 243 00:09:14,480 --> 00:09:16,560 approved by appropriate management and 244 00:09:16,560 --> 00:09:19,600 regularly reviewed. 245 00:09:19,600 --> 00:09:23,360 ISO 27001 Risk Treatment Methodology 246 00:09:23,360 --> 00:09:25,760 Reduce or Treat 247 00:09:25,760 --> 00:09:27,839 The second treatment option is to reduce 248 00:09:27,839 --> 00:09:29,360 or treat the risk. 249 00:09:29,360 --> 00:09:31,120 This is done through the implementation 250 00:09:31,120 --> 00:09:32,560 of controls. 251 00:09:32,560 --> 00:09:35,720 ISO 27001 provides you with a list of 252 00:09:35,720 --> 00:09:38,560 114 best practice controls that can be 253 00:09:38,560 --> 00:09:40,480 used to mitigate the risks that you have 254 00:09:40,480 --> 00:09:42,080 identified. 255 00:09:42,080 --> 00:09:43,920 These can be used in combination in 256 00:09:43,920 --> 00:09:46,080 order to increase their effectiveness 257 00:09:46,080 --> 00:09:47,920 and of course you can also add controls 258 00:09:47,920 --> 00:09:50,080 of your own that do not appear in ISO 259 00:09:50,080 --> 00:09:53,040 27001. 260 00:09:53,040 --> 00:09:56,560 ISO 27001 Risk Treatment Methodology 261 00:09:56,560 --> 00:09:58,240 Transfer 262 00:09:58,240 --> 00:10:00,080 The third risk treatment option is to 263 00:10:00,080 --> 00:10:01,760 transfer the risk. 264 00:10:01,760 --> 00:10:03,839 The transfer option involves the use of 265 00:10:03,839 --> 00:10:06,000 third parties to help you mitigate your 266 00:10:06,000 --> 00:10:07,040 risks. 267 00:10:07,040 --> 00:10:08,720 You could do this, for example, by 268 00:10:08,720 --> 00:10:10,800 offloading some of the financial impact 269 00:10:10,800 --> 00:10:13,120 of something going wrong by taking out 270 00:10:13,120 --> 00:10:15,200 an insurance policy. 271 00:10:15,200 --> 00:10:16,640 Another way of doing this is to 272 00:10:16,640 --> 00:10:18,320 outsource the responsibility for 273 00:10:18,320 --> 00:10:20,160 implementing and operating technical 274 00:10:20,160 --> 00:10:22,560 controls to a third party such as an IT 275 00:10:22,560 --> 00:10:24,560 managed service provider. 276 00:10:24,560 --> 00:10:26,320 It is important to note here that 277 00:10:26,320 --> 00:10:28,399 although responsibility for financial 278 00:10:28,399 --> 00:10:30,560 impact or the management of operational 279 00:10:30,560 --> 00:10:33,279 controls can be transferred to a third 280 00:10:33,279 --> 00:10:36,399 party, the accountability associated with 281 00:10:36,399 --> 00:10:38,160 the risk cannot. 282 00:10:38,160 --> 00:10:39,920 In other words you will still be held 283 00:10:39,920 --> 00:10:42,160 accountable by your stakeholders if 284 00:10:42,160 --> 00:10:44,880 something goes wrong. 285 00:10:44,880 --> 00:10:48,800 ISO 27001 Risk Treatment Methodology 286 00:10:48,800 --> 00:10:51,519 Avoid or Terminate 287 00:10:51,519 --> 00:10:53,440 The fourth risk treatment option is to 288 00:10:53,440 --> 00:10:55,440 simply avoid the risk. 289 00:10:55,440 --> 00:10:57,200 As we have discussed before, there are 290 00:10:57,200 --> 00:11:00,160 three component parts to risk. The impact 291 00:11:00,160 --> 00:11:02,160 felt by the organization following a 292 00:11:02,160 --> 00:11:04,320 breach of confidentiality, integrity, or 293 00:11:04,320 --> 00:11:07,279 availability for an information asset. 294 00:11:07,279 --> 00:11:09,760 A threat that could cause this impact 295 00:11:09,760 --> 00:11:11,680 and a vulnerability that would allow it 296 00:11:11,680 --> 00:11:13,200 to do so. 297 00:11:13,200 --> 00:11:15,920 It is possible to avoid risk completely 298 00:11:15,920 --> 00:11:18,160 by eliminating one or more of these 299 00:11:18,160 --> 00:11:19,519 three elements. 300 00:11:19,519 --> 00:11:21,519 However, it is unlikely that we would be 301 00:11:21,519 --> 00:11:24,240 able to completely remove all threats or 302 00:11:24,240 --> 00:11:26,959 all vulnerabilities which leaves us only 303 00:11:26,959 --> 00:11:29,440 with one viable option, which is to 304 00:11:29,440 --> 00:11:31,519 remove the impact. 305 00:11:31,519 --> 00:11:33,920 This is done by removing the asset or 306 00:11:33,920 --> 00:11:35,680 stopping the processes that are 307 00:11:35,680 --> 00:11:38,560 associated with the identified risk. 308 00:11:38,560 --> 00:11:40,399 For example, to avoid the risks 309 00:11:40,399 --> 00:11:42,480 associated with the taking of credit 310 00:11:42,480 --> 00:11:43,839 card payments, 311 00:11:43,839 --> 00:11:46,240 remove that process and only deal in 312 00:11:46,240 --> 00:11:47,279 cash. 313 00:11:47,279 --> 00:11:49,440 There are obvious issues associated with 314 00:11:49,440 --> 00:11:52,000 taking this approach, as it is unlikely 315 00:11:52,000 --> 00:11:54,079 to be looked upon to favorably by your 316 00:11:54,079 --> 00:11:56,639 stakeholders, especially if the process 317 00:11:56,639 --> 00:11:58,560 is revenue generating. 318 00:11:58,560 --> 00:12:00,560 This is the reason why this particular 319 00:12:00,560 --> 00:12:03,120 risk treatment methodology is rarely 320 00:12:03,120 --> 00:12:05,120 used. 321 00:12:05,120 --> 00:12:08,839 ISO 27001 Risk Treatment Methodology 322 00:12:08,839 --> 00:12:09,939 Controls 323 00:12:09,939 --> 00:12:12,079 The most common option chosen 324 00:12:12,079 --> 00:12:14,880 to treat risks, other than maybe 'accept' 325 00:12:14,880 --> 00:12:17,920 in more mature ISMS's, is to reduce the 326 00:12:17,920 --> 00:12:19,279 risk. 327 00:12:19,279 --> 00:12:21,600 This is done by implementing controls or 328 00:12:21,600 --> 00:12:23,839 improving existing ones to address the 329 00:12:23,839 --> 00:12:25,360 risk. 330 00:12:25,360 --> 00:12:27,360 There are three main operational types 331 00:12:27,360 --> 00:12:29,279 of control: Administrative or 332 00:12:29,279 --> 00:12:31,040 people-based controls, 333 00:12:31,040 --> 00:12:33,360 technical or logical controls, and 334 00:12:33,360 --> 00:12:36,079 physical or environmental controls. 335 00:12:36,079 --> 00:12:37,920 Within these three operational types 336 00:12:37,920 --> 00:12:39,920 there are several different tactical 337 00:12:39,920 --> 00:12:42,639 uses of controls, such as those that are 338 00:12:42,639 --> 00:12:44,320 designed to prevent a threat from 339 00:12:44,320 --> 00:12:45,920 materializing, 340 00:12:45,920 --> 00:12:48,160 those that are designed to deter people 341 00:12:48,160 --> 00:12:50,800 from carrying out an undesired action, 342 00:12:50,800 --> 00:12:52,639 those that detect if a threat has 343 00:12:52,639 --> 00:12:55,279 materialized, or those that enable you to 344 00:12:55,279 --> 00:12:57,200 recover from a situation after the 345 00:12:57,200 --> 00:12:58,959 threat has been dealt with, 346 00:12:58,959 --> 00:13:00,959 and there are several others. 347 00:13:00,959 --> 00:13:03,279 Operational types and tactical uses of 348 00:13:03,279 --> 00:13:06,160 controls are not mutually exclusive and 349 00:13:06,160 --> 00:13:08,560 can and should be used where possible in 350 00:13:08,560 --> 00:13:11,200 combination to provide a greater depth 351 00:13:11,200 --> 00:13:13,120 of security. 352 00:13:13,120 --> 00:13:16,800 ISO 27001 Risk Management Monitor And 353 00:13:16,800 --> 00:13:18,160 Review 354 00:13:18,160 --> 00:13:19,920 It is important to ensure that any 355 00:13:19,920 --> 00:13:21,839 actions you take to address the risks 356 00:13:21,839 --> 00:13:23,760 you have identified are monitored and 357 00:13:23,760 --> 00:13:25,519 reviewed to ensure that they have the 358 00:13:25,519 --> 00:13:27,200 desired effect. 359 00:13:27,200 --> 00:13:29,519 Part of the monitor and review process 360 00:13:29,519 --> 00:13:31,839 should also include a review of context 361 00:13:31,839 --> 00:13:33,279 before the risk assessment is 362 00:13:33,279 --> 00:13:34,720 reperformed. 363 00:13:34,720 --> 00:13:37,802 This will allow you to identify and take 364 00:13:37,802 --> 00:13:38,959 into consideration any changes that may 365 00:13:38,959 --> 00:13:41,279 have happened, either internally within 366 00:13:41,279 --> 00:13:43,680 your organization or externally such as 367 00:13:43,680 --> 00:13:46,240 changes in legislation or changes to the 368 00:13:46,240 --> 00:13:48,880 threat environment. Thus, you are able to 369 00:13:48,880 --> 00:13:51,040 identify if risks that have previously 370 00:13:51,040 --> 00:13:53,440 been identified are getting worse or 371 00:13:53,440 --> 00:13:55,760 hopefully better. And you will also be 372 00:13:55,760 --> 00:13:58,560 able to identify any new risks. 373 00:13:58,560 --> 00:14:02,399 ISO 27001 Risk Assessment Frequency 374 00:14:02,399 --> 00:14:04,160 Risk management and therefore risk 375 00:14:04,160 --> 00:14:06,959 assessment is an iterative process 376 00:14:06,959 --> 00:14:08,720 and each iteration should take into 377 00:14:08,720 --> 00:14:10,800 consideration lessons learned from the 378 00:14:10,800 --> 00:14:13,279 previous iteration and should take into 379 00:14:13,279 --> 00:14:15,680 consideration any internal or external 380 00:14:15,680 --> 00:14:18,079 changes thus enabling continual 381 00:14:18,079 --> 00:14:19,360 improvement. 382 00:14:19,360 --> 00:14:21,279 There is no hard and fast rule on the 383 00:14:21,279 --> 00:14:23,680 frequency of risk assessment but URM 384 00:14:23,680 --> 00:14:25,839 recommends that the frequency is no less 385 00:14:25,839 --> 00:14:27,440 than annual. 386 00:14:27,440 --> 00:14:29,279 This does not necessarily mean that you 387 00:14:29,279 --> 00:14:31,120 should set aside a certain amount of 388 00:14:31,120 --> 00:14:33,120 time at a certain point in the year to 389 00:14:33,120 --> 00:14:35,440 conduct a risk assessment, although of 390 00:14:35,440 --> 00:14:37,920 course you can do this if you wish. 391 00:14:37,920 --> 00:14:40,079 It just means that each time 12 months 392 00:14:40,079 --> 00:14:42,160 has elapsed, you should aim to have 393 00:14:42,160 --> 00:14:44,480 completed the next iteration. 394 00:14:44,480 --> 00:14:46,639 So you could spread the workload over 395 00:14:46,639 --> 00:14:48,720 the 12-month period by performing 396 00:14:48,720 --> 00:14:50,959 smaller risk assessments on a subset of 397 00:14:50,959 --> 00:14:53,920 areas at more frequent intervals if this 398 00:14:53,920 --> 00:14:56,160 is more manageable. 399 00:14:56,160 --> 00:14:59,199 ISO 27001 Risk Management 400 00:14:59,199 --> 00:15:00,959 Governance 401 00:15:00,959 --> 00:15:03,199 Throughout the risk management process, 402 00:15:03,199 --> 00:15:05,120 you need to ensure that you communicate 403 00:15:05,120 --> 00:15:07,839 effectively with any interested parties. 404 00:15:07,839 --> 00:15:10,480 It may be useful to put together a RACI. 405 00:15:10,480 --> 00:15:13,440 (RACI) to help you with this. As all the 406 00:15:13,440 --> 00:15:15,360 way through the process different people 407 00:15:15,360 --> 00:15:17,839 will need to be held responsible, some 408 00:15:17,839 --> 00:15:20,000 will need to be held accountable, some 409 00:15:20,000 --> 00:15:21,839 will need to be consulted in order to 410 00:15:21,839 --> 00:15:23,440 identify all of the pertinent 411 00:15:23,440 --> 00:15:25,519 information we need to perform an 412 00:15:25,519 --> 00:15:27,760 effective risk assessment, and some 413 00:15:27,760 --> 00:15:30,000 people, for example, the management team 414 00:15:30,000 --> 00:15:31,759 will need to be informed through 415 00:15:31,759 --> 00:15:35,680 effective reporting of your risk status. 416 00:15:35,680 --> 00:15:38,959 ISO 27001 Risk Management Policy and 417 00:15:38,959 --> 00:15:40,560 Process 418 00:15:40,560 --> 00:15:42,959 as with all key processes associated 419 00:15:42,959 --> 00:15:45,759 with an effective isms it is a good idea 420 00:15:45,759 --> 00:15:48,399 to implement a risk management policy 421 00:15:48,399 --> 00:15:50,079 this enables you to set the risk 422 00:15:50,079 --> 00:15:52,720 management and risk assessment criteria 423 00:15:52,720 --> 00:15:55,199 appetite and roles and responsibilities 424 00:15:55,199 --> 00:15:57,279 out within a document that everyone is 425 00:15:57,279 --> 00:15:59,040 required to implement throughout the 426 00:15:59,040 --> 00:16:00,639 business 427 00:16:00,639 --> 00:16:02,480 this should of course be underpinned by 428 00:16:02,480 --> 00:16:05,040 the risk management methodology and any 429 00:16:05,040 --> 00:16:07,680 required documented processes to enable 430 00:16:07,680 --> 00:16:09,279 risk management to be embedded 431 00:16:09,279 --> 00:16:12,079 throughout the organization 432 00:16:12,079 --> 00:16:15,040 so how can urm help 433 00:16:15,040 --> 00:16:17,199 urm can offer a range of information 434 00:16:17,199 --> 00:16:19,680 risk management consultancy and training 435 00:16:19,680 --> 00:16:22,639 services most notably our accredited 436 00:16:22,639 --> 00:16:24,720 five-day practitioner certificate in 437 00:16:24,720 --> 00:16:26,560 information risk management training 438 00:16:26,560 --> 00:16:27,519 course 439 00:16:27,519 --> 00:16:30,240 in addition urm has also developed an 440 00:16:30,240 --> 00:16:32,399 information risk management module a 441 00:16:32,399 --> 00:16:36,000 brisker 27001 especially to meet the 442 00:16:36,000 --> 00:16:38,320 risk assessment requirements of iso 443 00:16:38,320 --> 00:16:40,160 27001 444 00:16:40,160 --> 00:16:42,720 for more information email us or give us 445 00:16:42,720 --> 00:16:45,800 a call