[Music]
What is information security risk?
Information security risk is simply a
combination of the impact that could
result from a threat compromising one of
your important information assets and
the likelihood of this happening.
Risk Management In ISO 27001
ISO 27001 requires that you implement a
management system to help you manage the
security of your important information
assets.
The backbone of this is formed from the
need to develop and implement an
appropriate and effective information
security risk management methodology.
ISO 27001 Risk Management
You should develop and implement a risk
management methodology which allows you
to identify your important information
assets and to determine why they need
protecting.
It is important to note here that when
information security is mentioned, people
immediately start thinking about
confidentiality aspects, but the
availability and integrity aspects also
need to be taken into consideration
as these are important components of
information security.
Once this has been achieved, your
methodology needs to be able to identify
the likelihood of something going wrong
and what can be done to mitigate this
risk.
In a nutshell, it enables you to quantify
the impact and the likelihood elements
of information security risk and then go
on to do something about it.
ISO 27001 Risk Management Framework
There are several discrete stages of an
ISO 27001 risk management methodology.
First of all, it is important to
understand the information security
context of your organization.
Once this has been achieved, you can
perform a risk assessment which includes
the need to identify your risks,
analyze them, and evaluate them.
You then need to determine a suitable
treatment for the risks you have
assessed and then implement that
treatment.
It is vitally important that you do not
see this as a one-off exercise.
Your risk management methodology should
be designed to be iterative.
This enables you to not only review the
status of risks you have previously
identified, taking into consideration any
potential changes in context, but it also
enables you to identify new risks.
The high level stages of a risk
management methodology, as described
above, should be thought of as a
framework that enables risk management
to be embedded within key processes
throughout your organization
so that any identified risks are
comparable.
ISO 27001 Risk Management Context
The first stage of your risk management
methodology needs to identify what is
important to you or your organization
from an information security point of
view.
ISO 27001 requires you to determine the
context of your organization.
Part of which means that you need to be
able to identify the information
security related issues that you face
along with who the internal and external
interested parties are and what their
needs and expectations are.
It is important to also understand what
your risk appetite is at this stage as
we will need this information later.
Once you have done this, you are able to
determine what is important about the
different information assets under your
control.
ISO 27001 Risk Management What Is Risk
Appetite?
Risk appetite is simply the amount and
type of risk you are willing to accept
or retain
in order to allow business operations to
proceed.
This is important because too much
security can sometimes compromise your
operational viability, whereas too little
will reduce the confidence of your
stakeholders.
Some types of organizations are willing
to accept more risk than others.
For example, a hedge fund manager is
likely to take more risk in order to
make greater profits over a short space
of time, whereas a pension fund manager
generally prefers a less risky, steady
growth approach.
ISO 27001 Risk Assessment Methodology
Risk Identification
Once you have determined the context, you
can go ahead and conduct a risk
assessment.
The first part of a risk assessment is
to identify the risks that you face.
This can be broken down into three
elements. The first element is to
identify your information assets. An
information asset is any information
that has value to you.
There are several different ways to
calculate the value of an asset but it
is important that you not only consider
the confidentiality needs of the
information, but also the integrity and
availability requirements.
The second element of risk
identification is threat analysis. You
need to have a process which enables you
to identify all of the threats which are
applicable to the assets you have
identified.
If a particular threat is applicable
then it is also a good idea to think
about how probable it is that the threat
will materialize.
For example, if you use Windows based
computer systems which are connected
somehow to the internet, the probability
of them being affected by a virus is
probably very high if you do nothing to
stop it.
Whereas if you are using an apple mac
which is never connected to the internet,
the probability is very low.
The third element of risk identification
is the need to determine if there are
any vulnerabilities that would allow a
threat that you have identified to cause
an impact on your asset.
To carry on with the example we have
just used, if you have an antivirus
system installed and running on your
Internet-connected windows computers, you
are less vulnerable to this particular
threat than if you didn't.
ISO 27001 Risk Assessment Methodology
Risk Analysis
One of the useful aspects of the output
from an effective risk assessment is the
ability to prioritize your risks. This is
important as you may not have sufficient
resources to fully mitigate every risk
that you identify.
This means that it is important to
somehow quantify your risks.
To do this, we need to know two things.
First, how much of an impact would be
felt if a compromise occurred? And second,
what is the likelihood of that threat
occurring?
One good idea is to use a set of scales
to record values in these areas.
For example, using a scale of one to five,
we could say how impactful it would be
if the confidentiality of an asset were
breached.
Clearly breaches of confidentiality
would cause a greater impact for some
assets, for example, hr records, than
others like the staff canteen menu.
A second one to five scale could be used
to determine the likelihood of a breach
occurring and we would take into
consideration the threat and
vulnerability information we spoke about
earlier in order to do this.
ISO 27001 Risk Assessment Methodology
Risk Evaluation
Risk evaluation is a relatively simple
process as it requires you to identify
whether or not the risk that you have
identified is above or below appetite.
To do this, the first thing we need to do
is calculate the value of the risk which
simply means multiplying the impact and
likelihood values together.
We have a range of possible values which
result from multiplying the two one to
five scales together.
The appetite is stated within the
methodology as a particular value on the
five by five matrix.
If a particular risk is above this value,
then it is above appetite which means
that it can then be flagged for
treatment.
Anything below appetite can be accepted
and monitored for change.
ISO 27001 Risk Treatment Methodology
Your risk management methodology needs
to include a methodology for determining
the most appropriate treatment for the
risks that you have identified.
There are four possible treatments to
choose from. These are accept, reduce,
transfer,
and avoid.
You may come across different terms used
for these such as tolerate, treat,
transfer, and terminate. This example is
known as the 4Ts', however they take
the same approach.
ISO 27001 Risk Treatment Methodology
Accept or Tolerate
One of the four treatments provides you
with the ability to accept risk.
We have already seen that this is
possible as it is likely that you will
simply accept risks that are below
appetite.
However, you can also make an informed
decision to accept risks in certain
circumstances, such as where there is a
legal requirement preventing you from
taking the desired action or you have
insufficient resources to do so.
These cases should be few and far
between though and should always be
approved by appropriate management and
regularly reviewed.
ISO 27001 Risk Treatment Methodology
Reduce or Treat
The second treatment option is to reduce
or treat the risk.
This is done through the implementation
of controls.
ISO 27001 provides you with a list of
114 best practice controls that can be
used to mitigate the risks that you have
identified.
These can be used in combination in
order to increase their effectiveness
and of course you can also add controls
of your own that do not appear in ISO
27001.
ISO 27001 Risk Treatment Methodology
Transfer
The third risk treatment option is to
transfer the risk.
The transfer option involves the use of
third parties to help you mitigate your
risks.
You could do this, for example, by
offloading some of the financial impact
of something going wrong by taking out
an insurance policy.
Another way of doing this is to
outsource the responsibility for
implementing and operating technical
controls to a third party such as an IT
managed service provider.
It is important to note here that
although responsibility for financial
impact or the management of operational
controls can be transferred to a third
party, the accountability associated with
the risk cannot.
In other words you will still be held
accountable by your stakeholders if
something goes wrong.
ISO 27001 Risk Treatment Methodology
Avoid or Terminate
The fourth risk treatment option is to
simply avoid the risk.
As we have discussed before, there are
three component parts to risk. The impact
felt by the organization following a
breach of confidentiality, integrity, or
availability for an information asset.
A threat that could cause this impact
and a vulnerability that would allow it
to do so.
It is possible to avoid risk completely
by eliminating one or more of these
three elements.
However, it is unlikely that we would be
able to completely remove all threats or
all vulnerabilities which leaves us only
with one viable option, which is to
remove the impact.
This is done by removing the asset or
stopping the processes that are
associated with the identified risk.
For example, to avoid the risks
associated with the taking of credit
card payments,
remove that process and only deal in
cash.
There are obvious issues associated with
taking this approach, as it is unlikely
to be looked upon to favorably by your
stakeholders, especially if the process
is revenue generating.
This is the reason why this particular
risk treatment methodology is rarely
used.
ISO 27001 Risk Treatment Methodology
Controls
The most common option chosen
to treat risks, other than maybe 'accept'
in more mature ISMS's, is to reduce the
risk.
This is done by implementing controls or
improving existing ones to address the
risk.
There are three main operational types
of control: Administrative or
people-based controls,
technical or logical controls, and
physical or environmental controls.
Within these three operational types
there are several different tactical
uses of controls, such as those that are
designed to prevent a threat from
materializing,
those that are designed to deter people
from carrying out an undesired action,
those that detect if a threat has
materialized, or those that enable you to
recover from a situation after the
threat has been dealt with,
and there are several others.
Operational types and tactical uses of
controls are not mutually exclusive and
can and should be used where possible in
combination to provide a greater depth
of security.
ISO 27001 Risk Management Monitor And
Review
It is important to ensure that any
actions you take to address the risks
you have identified are monitored and
reviewed to ensure that they have the
desired effect.
Part of the monitor and review process
should also include a review of context
before the risk assessment is
reperformed.
This will allow you to identify and take
into consideration any changes that may
have happened, either internally within
your organization or externally such as
changes in legislation or changes to the
threat environment. Thus, you are able to
identify if risks that have previously
been identified are getting worse or
hopefully better. And you will also be
able to identify any new risks.
ISO 27001 Risk Assessment Frequency
Risk management and therefore risk
assessment is an iterative process
and each iteration should take into
consideration lessons learned from the
previous iteration and should take into
consideration any internal or external
changes thus enabling continual
improvement.
There is no hard and fast rule on the
frequency of risk assessment but URM
recommends that the frequency is no less
than annual.
This does not necessarily mean that you
should set aside a certain amount of
time at a certain point in the year to
conduct a risk assessment, although of
course you can do this if you wish.
It just means that each time 12 months
has elapsed, you should aim to have
completed the next iteration.
So you could spread the workload over
the 12-month period by performing
smaller risk assessments on a subset of
areas at more frequent intervals if this
is more manageable.
ISO 27001 Risk Management
Governance
Throughout the risk management process,
you need to ensure that you communicate
effectively with any interested parties.
It may be useful to put together a RACI.
(RACI) to help you with this. As all the
way through the process different people
will need to be held responsible, some
will need to be held accountable, some
will need to be consulted in order to
identify all of the pertinent
information we need to perform an
effective risk assessment, and some
people, for example, the management team
will need to be informed through
effective reporting of your risk status.
ISO 27001 Risk Management Policy and
Process
As with all key processes associated
with an effective ISMS, it is a good idea
to implement a risk management policy.
This enables you to set the risk
management and risk assessment criteria,
appetite, and roles and responsibilities
out within a document that everyone is
required to implement throughout the
business.
This should of course be underpinned by
the risk management methodology and any
required documented processes to enable
risk management to be embedded
throughout the organization.
So how can URM help?
URM can offer a range of information
risk management consultancy and training
services. Most notably, our accredited
five-day practitioner certificate in
information risk management training
course.
In addition, URM has also developed an
information risk management module,
Abriska 27001, specially to meet the
risk assessment requirements of ISO
27001
For more information email us or give us
a call.