WEBVTT 00:00:04.790 --> 00:00:07.839 [Music] 00:00:07.839 --> 00:00:10.639 What is information security risk? 00:00:10.639 --> 00:00:12.719 Information security risk is simply a 00:00:12.719 --> 00:00:14.639 combination of the impact that could 00:00:14.639 --> 00:00:16.880 result from a threat compromising one of 00:00:16.880 --> 00:00:19.600 your important information assets and 00:00:19.600 --> 00:00:22.000 the likelihood of this happening. 00:00:22.000 --> 00:00:25.519 Risk Management In ISO 27001 00:00:25.519 --> 00:00:28.800 ISO 27001 requires that you implement a 00:00:28.800 --> 00:00:31.279 management system to help you manage the 00:00:31.279 --> 00:00:33.440 security of your important information 00:00:33.440 --> 00:00:34.480 assets. 00:00:34.480 --> 00:00:36.480 The backbone of this is formed from the 00:00:36.480 --> 00:00:38.480 need to develop and implement an 00:00:38.480 --> 00:00:40.960 appropriate and effective information 00:00:40.960 --> 00:00:44.640 security risk management methodology. 00:00:44.640 --> 00:00:48.079 ISO 27001 Risk Management 00:00:48.079 --> 00:00:50.079 You should develop and implement a risk 00:00:50.079 --> 00:00:52.000 management methodology which allows you 00:00:52.000 --> 00:00:54.399 to identify your important information 00:00:54.399 --> 00:00:57.120 assets and to determine why they need 00:00:57.120 --> 00:00:58.640 protecting. 00:00:58.640 --> 00:01:00.640 It is important to note here that when 00:01:00.640 --> 00:01:03.199 information security is mentioned, people 00:01:03.199 --> 00:01:04.920 immediately start thinking about 00:01:04.920 --> 00:01:07.280 confidentiality aspects, but the 00:01:07.280 --> 00:01:10.320 availability and integrity aspects also 00:01:10.320 --> 00:01:12.640 need to be taken into consideration 00:01:12.640 --> 00:01:14.799 as these are important components of 00:01:14.799 --> 00:01:17.119 information security. 00:01:17.119 --> 00:01:19.040 Once this has been achieved, your 00:01:19.040 --> 00:01:21.360 methodology needs to be able to identify 00:01:21.360 --> 00:01:23.920 the likelihood of something going wrong 00:01:23.920 --> 00:01:26.080 and what can be done to mitigate this 00:01:26.080 --> 00:01:27.040 risk. 00:01:27.040 --> 00:01:29.840 In a nutshell, it enables you to quantify 00:01:29.840 --> 00:01:31.920 the impact and the likelihood elements 00:01:31.920 --> 00:01:34.640 of information security risk and then go 00:01:34.640 --> 00:01:38.079 on to do something about it. 00:01:38.079 --> 00:01:42.640 ISO 27001 Risk Management Framework 00:01:42.640 --> 00:01:44.720 There are several discrete stages of an 00:01:44.720 --> 00:01:48.720 ISO 27001 risk management methodology. 00:01:48.720 --> 00:01:50.240 First of all, it is important to 00:01:50.240 --> 00:01:52.159 understand the information security 00:01:52.159 --> 00:01:54.720 context of your organization. 00:01:54.720 --> 00:01:56.719 Once this has been achieved, you can 00:01:56.719 --> 00:01:59.200 perform a risk assessment which includes 00:01:59.200 --> 00:02:01.840 the need to identify your risks, 00:02:01.840 --> 00:02:04.880 analyze them, and evaluate them. 00:02:04.880 --> 00:02:06.880 You then need to determine a suitable 00:02:06.880 --> 00:02:08.399 treatment for the risks you have 00:02:08.399 --> 00:02:10.639 assessed and then implement that 00:02:10.639 --> 00:02:11.840 treatment. 00:02:11.840 --> 00:02:14.480 It is vitally important that you do not 00:02:14.480 --> 00:02:17.040 see this as a one-off exercise. 00:02:17.040 --> 00:02:18.879 Your risk management methodology should 00:02:18.879 --> 00:02:21.040 be designed to be iterative. 00:02:21.040 --> 00:02:23.200 This enables you to not only review the 00:02:23.200 --> 00:02:25.280 status of risks you have previously 00:02:25.280 --> 00:02:28.000 identified, taking into consideration any 00:02:28.000 --> 00:02:30.879 potential changes in context, but it also 00:02:30.879 --> 00:02:34.160 enables you to identify new risks. 00:02:34.160 --> 00:02:36.160 The high level stages of a risk 00:02:36.160 --> 00:02:38.239 management methodology, as described 00:02:38.239 --> 00:02:40.160 above, should be thought of as a 00:02:40.160 --> 00:02:42.640 framework that enables risk management 00:02:42.640 --> 00:02:44.800 to be embedded within key processes 00:02:44.800 --> 00:02:46.959 throughout your organization 00:02:46.959 --> 00:02:49.040 so that any identified risks are 00:02:49.040 --> 00:02:50.560 comparable. 00:02:50.560 --> 00:02:54.480 ISO 27001 Risk Management Context 00:02:54.480 --> 00:02:56.239 The first stage of your risk management 00:02:56.239 --> 00:02:58.560 methodology needs to identify what is 00:02:58.560 --> 00:03:00.720 important to you or your organization 00:03:00.720 --> 00:03:02.640 from an information security point of 00:03:02.640 --> 00:03:03.760 view. 00:03:03.760 --> 00:03:06.959 line:1 ISO 27001 requires you to determine the 00:03:06.959 --> 00:03:09.280 line:1 context of your organization. 00:03:09.280 --> 00:03:10.959 Part of which means that you need to be 00:03:10.959 --> 00:03:12.640 able to identify the information 00:03:12.640 --> 00:03:15.200 security related issues that you face 00:03:15.200 --> 00:03:17.680 along with who the internal and external 00:03:17.680 --> 00:03:20.000 interested parties are and what their 00:03:20.000 --> 00:03:22.560 needs and expectations are. 00:03:22.560 --> 00:03:24.799 It is important to also understand what 00:03:24.799 --> 00:03:27.440 your risk appetite is at this stage as 00:03:27.440 --> 00:03:30.400 we will need this information later. 00:03:30.400 --> 00:03:32.239 Once you have done this, you are able to 00:03:32.239 --> 00:03:34.239 determine what is important about the 00:03:34.239 --> 00:03:36.319 different information assets under your 00:03:36.319 --> 00:03:37.680 control. 00:03:37.680 --> 00:03:41.440 ISO 27001 Risk Management What Is Risk 00:03:41.440 --> 00:03:43.519 Appetite? 00:03:43.519 --> 00:03:45.920 Risk appetite is simply the amount and 00:03:45.920 --> 00:03:48.239 type of risk you are willing to accept 00:03:48.239 --> 00:03:49.519 or retain 00:03:49.519 --> 00:03:51.760 in order to allow business operations to 00:03:51.760 --> 00:03:53.120 proceed. 00:03:53.120 --> 00:03:55.120 line:1 This is important because too much 00:03:55.120 --> 00:03:57.280 line:1 security can sometimes compromise your 00:03:57.280 --> 00:04:00.560 line:1 operational viability, whereas too little 00:04:00.560 --> 00:04:02.239 line:1 will reduce the confidence of your 00:04:02.239 --> 00:04:04.000 line:1 stakeholders. 00:04:04.000 --> 00:04:06.080 Some types of organizations are willing 00:04:06.080 --> 00:04:08.720 to accept more risk than others. 00:04:08.720 --> 00:04:10.799 For example, a hedge fund manager is 00:04:10.799 --> 00:04:12.879 likely to take more risk in order to 00:04:12.879 --> 00:04:15.200 make greater profits over a short space 00:04:15.200 --> 00:04:18.160 of time, whereas a pension fund manager 00:04:18.160 --> 00:04:20.639 generally prefers a less risky, steady 00:04:20.639 --> 00:04:22.960 growth approach. 00:04:22.960 --> 00:04:26.880 ISO 27001 Risk Assessment Methodology 00:04:26.880 --> 00:04:28.960 Risk Identification 00:04:28.960 --> 00:04:31.199 Once you have determined the context, you 00:04:31.199 --> 00:04:32.960 can go ahead and conduct a risk 00:04:32.960 --> 00:04:34.160 assessment. 00:04:34.160 --> 00:04:36.000 The first part of a risk assessment is 00:04:36.000 --> 00:04:38.720 to identify the risks that you face. 00:04:38.720 --> 00:04:40.479 This can be broken down into three 00:04:40.479 --> 00:04:42.639 elements. The first element is to 00:04:42.639 --> 00:04:45.360 identify your information assets. An 00:04:45.360 --> 00:04:47.280 information asset is any information 00:04:47.280 --> 00:04:49.120 that has value to you. 00:04:49.120 --> 00:04:50.720 There are several different ways to 00:04:50.720 --> 00:04:53.199 calculate the value of an asset but it 00:04:53.199 --> 00:04:55.120 is important that you not only consider 00:04:55.120 --> 00:04:56.800 the confidentiality needs of the 00:04:56.800 --> 00:04:59.680 information, but also the integrity and 00:04:59.680 --> 00:05:02.160 availability requirements. 00:05:02.160 --> 00:05:03.600 The second element of risk 00:05:03.600 --> 00:05:06.320 identification is threat analysis. You 00:05:06.320 --> 00:05:08.160 need to have a process which enables you 00:05:08.160 --> 00:05:10.400 to identify all of the threats which are 00:05:10.400 --> 00:05:11.919 applicable to the assets you have 00:05:11.919 --> 00:05:13.520 identified. 00:05:13.520 --> 00:05:15.600 If a particular threat is applicable 00:05:15.600 --> 00:05:17.680 then it is also a good idea to think 00:05:17.680 --> 00:05:19.840 about how probable it is that the threat 00:05:19.840 --> 00:05:21.520 will materialize. 00:05:21.520 --> 00:05:23.600 For example, if you use Windows based 00:05:23.600 --> 00:05:25.360 computer systems which are connected 00:05:25.360 --> 00:05:27.840 somehow to the internet, the probability 00:05:27.840 --> 00:05:30.000 of them being affected by a virus is 00:05:30.000 --> 00:05:32.400 probably very high if you do nothing to 00:05:32.400 --> 00:05:33.440 stop it. 00:05:33.440 --> 00:05:35.280 Whereas if you are using an apple mac 00:05:35.280 --> 00:05:37.520 which is never connected to the internet, 00:05:37.520 --> 00:05:40.479 the probability is very low. 00:05:40.479 --> 00:05:42.720 The third element of risk identification 00:05:42.720 --> 00:05:44.400 is the need to determine if there are 00:05:44.400 --> 00:05:46.160 any vulnerabilities that would allow a 00:05:46.160 --> 00:05:48.320 threat that you have identified to cause 00:05:48.320 --> 00:05:50.639 an impact on your asset. 00:05:50.639 --> 00:05:52.479 To carry on with the example we have 00:05:52.479 --> 00:05:54.960 just used, if you have an antivirus 00:05:54.960 --> 00:05:57.520 system installed and running on your 00:05:57.520 --> 00:06:00.240 Internet-connected windows computers, you 00:06:00.240 --> 00:06:02.080 are less vulnerable to this particular 00:06:02.080 --> 00:06:04.960 threat than if you didn't. 00:06:04.960 --> 00:06:08.880 ISO 27001 Risk Assessment Methodology 00:06:08.880 --> 00:06:11.039 Risk Analysis 00:06:11.039 --> 00:06:13.120 One of the useful aspects of the output 00:06:13.120 --> 00:06:15.440 from an effective risk assessment is the 00:06:15.440 --> 00:06:18.560 ability to prioritize your risks. This is 00:06:18.560 --> 00:06:20.639 important as you may not have sufficient 00:06:20.639 --> 00:06:22.960 resources to fully mitigate every risk 00:06:22.960 --> 00:06:24.800 that you identify. 00:06:24.800 --> 00:06:26.479 This means that it is important to 00:06:26.479 --> 00:06:28.800 somehow quantify your risks. 00:06:28.800 --> 00:06:31.600 To do this, we need to know two things. 00:06:31.600 --> 00:06:33.520 First, how much of an impact would be 00:06:33.520 --> 00:06:36.319 felt if a compromise occurred? And second, 00:06:36.319 --> 00:06:38.319 what is the likelihood of that threat 00:06:38.319 --> 00:06:39.680 occurring? 00:06:39.680 --> 00:06:42.000 One good idea is to use a set of scales 00:06:42.000 --> 00:06:44.720 to record values in these areas. 00:06:44.720 --> 00:06:47.520 For example, using a scale of one to five, 00:06:47.520 --> 00:06:49.680 we could say how impactful it would be 00:06:49.680 --> 00:06:51.840 if the confidentiality of an asset were 00:06:51.840 --> 00:06:53.039 breached. 00:06:53.039 --> 00:06:54.960 Clearly breaches of confidentiality 00:06:54.960 --> 00:06:56.960 would cause a greater impact for some 00:06:56.960 --> 00:07:00.400 assets, for example, hr records, than 00:07:00.400 --> 00:07:03.520 others like the staff canteen menu. 00:07:03.520 --> 00:07:05.680 A second one to five scale could be used 00:07:05.680 --> 00:07:07.680 to determine the likelihood of a breach 00:07:07.680 --> 00:07:09.759 occurring and we would take into 00:07:09.759 --> 00:07:11.120 consideration the threat and 00:07:11.120 --> 00:07:13.280 vulnerability information we spoke about 00:07:13.280 --> 00:07:16.400 earlier in order to do this. 00:07:16.400 --> 00:07:20.160 ISO 27001 Risk Assessment Methodology 00:07:20.160 --> 00:07:22.160 Risk Evaluation 00:07:22.160 --> 00:07:24.400 Risk evaluation is a relatively simple 00:07:24.400 --> 00:07:26.720 process as it requires you to identify 00:07:26.720 --> 00:07:28.400 whether or not the risk that you have 00:07:28.400 --> 00:07:32.080 identified is above or below appetite. 00:07:32.080 --> 00:07:34.000 To do this, the first thing we need to do 00:07:34.000 --> 00:07:36.000 is calculate the value of the risk which 00:07:36.000 --> 00:07:38.160 simply means multiplying the impact and 00:07:38.160 --> 00:07:40.880 likelihood values together. 00:07:40.880 --> 00:07:42.880 We have a range of possible values which 00:07:42.880 --> 00:07:45.280 result from multiplying the two one to 00:07:45.280 --> 00:07:47.599 five scales together. 00:07:47.599 --> 00:07:49.520 The appetite is stated within the 00:07:49.520 --> 00:07:51.680 methodology as a particular value on the 00:07:51.680 --> 00:07:53.680 five by five matrix. 00:07:53.680 --> 00:07:56.160 If a particular risk is above this value, 00:07:56.160 --> 00:07:58.479 then it is above appetite which means 00:07:58.479 --> 00:08:00.000 that it can then be flagged for 00:08:00.000 --> 00:08:01.120 treatment. 00:08:01.120 --> 00:08:03.919 Anything below appetite can be accepted 00:08:03.919 --> 00:08:07.120 and monitored for change. 00:08:07.120 --> 00:08:11.599 ISO 27001 Risk Treatment Methodology 00:08:11.599 --> 00:08:13.520 Your risk management methodology needs 00:08:13.520 --> 00:08:15.759 to include a methodology for determining 00:08:15.759 --> 00:08:17.840 the most appropriate treatment for the 00:08:17.840 --> 00:08:20.240 risks that you have identified. 00:08:20.240 --> 00:08:22.080 There are four possible treatments to 00:08:22.080 --> 00:08:25.520 choose from. These are accept, reduce, 00:08:25.520 --> 00:08:26.400 transfer, 00:08:26.400 --> 00:08:27.840 and avoid. 00:08:27.840 --> 00:08:29.759 You may come across different terms used 00:08:29.759 --> 00:08:31.759 for these such as tolerate, treat, 00:08:31.759 --> 00:08:34.399 transfer, and terminate. This example is 00:08:34.399 --> 00:08:37.039 known as the 4Ts', however they take 00:08:37.039 --> 00:08:39.760 the same approach. 00:08:39.760 --> 00:08:43.519 ISO 27001 Risk Treatment Methodology 00:08:43.519 --> 00:08:46.640 Accept or Tolerate 00:08:46.640 --> 00:08:48.399 One of the four treatments provides you 00:08:48.399 --> 00:08:50.959 with the ability to accept risk. 00:08:50.959 --> 00:08:52.560 We have already seen that this is 00:08:52.560 --> 00:08:54.240 possible as it is likely that you will 00:08:54.240 --> 00:08:56.320 simply accept risks that are below 00:08:56.320 --> 00:08:57.600 appetite. 00:08:57.600 --> 00:08:59.600 However, you can also make an informed 00:08:59.600 --> 00:09:01.920 decision to accept risks in certain 00:09:01.920 --> 00:09:04.160 circumstances, such as where there is a 00:09:04.160 --> 00:09:06.080 legal requirement preventing you from 00:09:06.080 --> 00:09:08.320 taking the desired action or you have 00:09:08.320 --> 00:09:11.120 insufficient resources to do so. 00:09:11.120 --> 00:09:12.880 These cases should be few and far 00:09:12.880 --> 00:09:14.480 between though and should always be 00:09:14.480 --> 00:09:16.560 approved by appropriate management and 00:09:16.560 --> 00:09:19.600 regularly reviewed. 00:09:19.600 --> 00:09:23.360 ISO 27001 Risk Treatment Methodology 00:09:23.360 --> 00:09:25.760 Reduce or Treat 00:09:25.760 --> 00:09:27.839 The second treatment option is to reduce 00:09:27.839 --> 00:09:29.360 or treat the risk. 00:09:29.360 --> 00:09:31.120 This is done through the implementation 00:09:31.120 --> 00:09:32.560 of controls. 00:09:32.560 --> 00:09:35.720 ISO 27001 provides you with a list of 00:09:35.720 --> 00:09:38.560 114 best practice controls that can be 00:09:38.560 --> 00:09:40.480 used to mitigate the risks that you have 00:09:40.480 --> 00:09:42.080 identified. 00:09:42.080 --> 00:09:43.920 These can be used in combination in 00:09:43.920 --> 00:09:46.080 order to increase their effectiveness 00:09:46.080 --> 00:09:47.920 and of course you can also add controls 00:09:47.920 --> 00:09:50.080 of your own that do not appear in ISO 00:09:50.080 --> 00:09:53.040 27001. 00:09:53.040 --> 00:09:56.560 ISO 27001 Risk Treatment Methodology 00:09:56.560 --> 00:09:58.240 Transfer 00:09:58.240 --> 00:10:00.080 The third risk treatment option is to 00:10:00.080 --> 00:10:01.760 transfer the risk. 00:10:01.760 --> 00:10:03.839 The transfer option involves the use of 00:10:03.839 --> 00:10:06.000 third parties to help you mitigate your 00:10:06.000 --> 00:10:07.040 risks. 00:10:07.040 --> 00:10:08.720 You could do this, for example, by 00:10:08.720 --> 00:10:10.800 offloading some of the financial impact 00:10:10.800 --> 00:10:13.120 of something going wrong by taking out 00:10:13.120 --> 00:10:15.200 an insurance policy. 00:10:15.200 --> 00:10:16.640 Another way of doing this is to 00:10:16.640 --> 00:10:18.320 outsource the responsibility for 00:10:18.320 --> 00:10:20.160 implementing and operating technical 00:10:20.160 --> 00:10:22.560 controls to a third party such as an IT 00:10:22.560 --> 00:10:24.560 managed service provider. NOTE Paragraph 00:10:24.560 --> 00:10:26.320 It is important to note here that 00:10:26.320 --> 00:10:28.399 although responsibility for financial 00:10:28.399 --> 00:10:30.560 impact or the management of operational 00:10:30.560 --> 00:10:33.279 controls can be transferred to a third 00:10:33.279 --> 00:10:36.399 party, the accountability associated with 00:10:36.399 --> 00:10:38.160 the risk cannot. 00:10:38.160 --> 00:10:39.920 In other words you will still be held 00:10:39.920 --> 00:10:42.160 accountable by your stakeholders if 00:10:42.160 --> 00:10:44.880 something goes wrong. 00:10:44.880 --> 00:10:48.800 ISO 27001 Risk Treatment Methodology 00:10:48.800 --> 00:10:51.519 Avoid or Terminate 00:10:51.519 --> 00:10:53.440 The fourth risk treatment option is to 00:10:53.440 --> 00:10:55.440 simply avoid the risk. 00:10:55.440 --> 00:10:57.200 As we have discussed before, there are 00:10:57.200 --> 00:11:00.160 three component parts to risk. The impact 00:11:00.160 --> 00:11:02.160 felt by the organization following a 00:11:02.160 --> 00:11:04.320 breach of confidentiality, integrity, or 00:11:04.320 --> 00:11:07.279 availability for an information asset. 00:11:07.279 --> 00:11:09.760 A threat that could cause this impact 00:11:09.760 --> 00:11:11.680 and a vulnerability that would allow it 00:11:11.680 --> 00:11:13.200 to do so. 00:11:13.200 --> 00:11:15.920 It is possible to avoid risk completely 00:11:15.920 --> 00:11:18.160 by eliminating one or more of these 00:11:18.160 --> 00:11:19.519 three elements. 00:11:19.519 --> 00:11:21.519 However, it is unlikely that we would be 00:11:21.519 --> 00:11:24.240 able to completely remove all threats or 00:11:24.240 --> 00:11:26.959 all vulnerabilities which leaves us only 00:11:26.959 --> 00:11:29.440 with one viable option, which is to 00:11:29.440 --> 00:11:31.519 remove the impact. 00:11:31.519 --> 00:11:33.920 This is done by removing the asset or 00:11:33.920 --> 00:11:35.680 stopping the processes that are 00:11:35.680 --> 00:11:38.560 associated with the identified risk. 00:11:38.560 --> 00:11:40.399 For example, to avoid the risks 00:11:40.399 --> 00:11:42.480 associated with the taking of credit 00:11:42.480 --> 00:11:43.839 card payments, 00:11:43.839 --> 00:11:46.240 remove that process and only deal in 00:11:46.240 --> 00:11:47.279 cash. 00:11:47.279 --> 00:11:49.440 There are obvious issues associated with 00:11:49.440 --> 00:11:52.000 taking this approach, as it is unlikely 00:11:52.000 --> 00:11:54.079 to be looked upon to favorably by your 00:11:54.079 --> 00:11:56.639 stakeholders, especially if the process 00:11:56.639 --> 00:11:58.560 is revenue generating. 00:11:58.560 --> 00:12:00.560 This is the reason why this particular 00:12:00.560 --> 00:12:03.120 risk treatment methodology is rarely 00:12:03.120 --> 00:12:05.120 used. 00:12:05.120 --> 00:12:08.839 ISO 27001 Risk Treatment Methodology 00:12:08.839 --> 00:12:09.939 Controls 00:12:09.939 --> 00:12:12.079 The most common option chosen 00:12:12.079 --> 00:12:14.880 to treat risks, other than maybe 'accept' 00:12:14.880 --> 00:12:17.920 in more mature ISMS's, is to reduce the 00:12:17.920 --> 00:12:19.279 risk. 00:12:19.279 --> 00:12:21.600 This is done by implementing controls or 00:12:21.600 --> 00:12:23.839 improving existing ones to address the 00:12:23.839 --> 00:12:25.360 risk. 00:12:25.360 --> 00:12:27.360 There are three main operational types 00:12:27.360 --> 00:12:29.279 of control: Administrative or 00:12:29.279 --> 00:12:31.040 people-based controls, 00:12:31.040 --> 00:12:33.360 technical or logical controls, and 00:12:33.360 --> 00:12:36.079 physical or environmental controls. 00:12:36.079 --> 00:12:37.920 Within these three operational types 00:12:37.920 --> 00:12:39.920 there are several different tactical 00:12:39.920 --> 00:12:42.639 uses of controls, such as those that are 00:12:42.639 --> 00:12:44.320 designed to prevent a threat from 00:12:44.320 --> 00:12:45.920 materializing, 00:12:45.920 --> 00:12:48.160 those that are designed to deter people 00:12:48.160 --> 00:12:50.800 from carrying out an undesired action, 00:12:50.800 --> 00:12:52.639 those that detect if a threat has 00:12:52.639 --> 00:12:55.279 materialized, or those that enable you to 00:12:55.279 --> 00:12:57.200 recover from a situation after the 00:12:57.200 --> 00:12:58.959 threat has been dealt with, 00:12:58.959 --> 00:13:00.959 and there are several others. 00:13:00.959 --> 00:13:03.279 Operational types and tactical uses of 00:13:03.279 --> 00:13:06.160 controls are not mutually exclusive and 00:13:06.160 --> 00:13:08.560 can and should be used where possible in 00:13:08.560 --> 00:13:11.200 combination to provide a greater depth 00:13:11.200 --> 00:13:13.120 of security. 00:13:13.120 --> 00:13:16.800 ISO 27001 Risk Management Monitor And 00:13:16.800 --> 00:13:18.160 Review 00:13:18.160 --> 00:13:19.920 It is important to ensure that any 00:13:19.920 --> 00:13:21.839 actions you take to address the risks 00:13:21.839 --> 00:13:23.760 you have identified are monitored and 00:13:23.760 --> 00:13:25.519 reviewed to ensure that they have the 00:13:25.519 --> 00:13:27.200 desired effect. 00:13:27.200 --> 00:13:29.519 Part of the monitor and review process 00:13:29.519 --> 00:13:31.839 should also include a review of context 00:13:31.839 --> 00:13:33.279 before the risk assessment is 00:13:33.279 --> 00:13:34.720 reperformed. 00:13:34.720 --> 00:13:37.802 This will allow you to identify and take 00:13:37.802 --> 00:13:38.959 into consideration any changes that may 00:13:38.959 --> 00:13:41.279 have happened, either internally within 00:13:41.279 --> 00:13:43.680 your organization or externally such as 00:13:43.680 --> 00:13:46.240 changes in legislation or changes to the 00:13:46.240 --> 00:13:48.880 threat environment. Thus, you are able to 00:13:48.880 --> 00:13:51.040 identify if risks that have previously 00:13:51.040 --> 00:13:53.440 been identified are getting worse or 00:13:53.440 --> 00:13:55.760 hopefully better. And you will also be 00:13:55.760 --> 00:13:58.560 able to identify any new risks. 00:13:58.560 --> 00:14:02.399 ISO 27001 Risk Assessment Frequency 00:14:02.399 --> 00:14:04.160 Risk management and therefore risk 00:14:04.160 --> 00:14:06.959 assessment is an iterative process 00:14:06.959 --> 00:14:08.720 and each iteration should take into 00:14:08.720 --> 00:14:10.800 consideration lessons learned from the 00:14:10.800 --> 00:14:13.279 previous iteration and should take into 00:14:13.279 --> 00:14:15.680 consideration any internal or external 00:14:15.680 --> 00:14:18.079 changes thus enabling continual 00:14:18.079 --> 00:14:19.360 improvement. 00:14:19.360 --> 00:14:21.279 There is no hard and fast rule on the 00:14:21.279 --> 00:14:23.680 frequency of risk assessment but URM 00:14:23.680 --> 00:14:25.839 recommends that the frequency is no less 00:14:25.839 --> 00:14:27.440 than annual. 00:14:27.440 --> 00:14:29.279 This does not necessarily mean that you 00:14:29.279 --> 00:14:31.120 should set aside a certain amount of 00:14:31.120 --> 00:14:33.120 time at a certain point in the year to 00:14:33.120 --> 00:14:35.440 conduct a risk assessment, although of 00:14:35.440 --> 00:14:37.920 course you can do this if you wish. 00:14:37.920 --> 00:14:40.079 It just means that each time 12 months 00:14:40.079 --> 00:14:42.160 has elapsed, you should aim to have 00:14:42.160 --> 00:14:44.480 completed the next iteration. 00:14:44.480 --> 00:14:46.639 So you could spread the workload over 00:14:46.639 --> 00:14:48.720 the 12-month period by performing 00:14:48.720 --> 00:14:50.959 smaller risk assessments on a subset of 00:14:50.959 --> 00:14:53.920 areas at more frequent intervals if this 00:14:53.920 --> 00:14:56.160 is more manageable. 00:14:56.160 --> 00:14:59.199 ISO 27001 Risk Management 00:14:59.199 --> 00:15:00.959 Governance 00:15:00.959 --> 00:15:03.199 Throughout the risk management process, 00:15:03.199 --> 00:15:05.120 you need to ensure that you communicate 00:15:05.120 --> 00:15:07.839 effectively with any interested parties. 00:15:07.839 --> 00:15:10.480 It may be useful to put together a RACI. 00:15:10.480 --> 00:15:13.440 (RACI) to help you with this. As all the 00:15:13.440 --> 00:15:15.360 way through the process different people 00:15:15.360 --> 00:15:17.839 will need to be held responsible, some 00:15:17.839 --> 00:15:20.000 will need to be held accountable, some 00:15:20.000 --> 00:15:21.839 will need to be consulted in order to 00:15:21.839 --> 00:15:23.440 identify all of the pertinent 00:15:23.440 --> 00:15:25.519 information we need to perform an 00:15:25.519 --> 00:15:27.760 effective risk assessment, and some 00:15:27.760 --> 00:15:30.000 people, for example, the management team 00:15:30.000 --> 00:15:31.759 will need to be informed through 00:15:31.759 --> 00:15:35.680 effective reporting of your risk status. 00:15:35.680 --> 00:15:38.959 ISO 27001 Risk Management Policy and 00:15:38.959 --> 00:15:40.560 Process 00:15:40.560 --> 00:15:42.959 As with all key processes associated 00:15:42.959 --> 00:15:45.759 with an effective ISMS, it is a good idea 00:15:45.759 --> 00:15:48.399 to implement a risk management policy. 00:15:48.399 --> 00:15:50.079 This enables you to set the risk 00:15:50.079 --> 00:15:52.720 management and risk assessment criteria, 00:15:52.720 --> 00:15:55.199 appetite, and roles and responsibilities 00:15:55.199 --> 00:15:57.279 out within a document that everyone is 00:15:57.279 --> 00:15:59.040 required to implement throughout the 00:15:59.040 --> 00:16:00.639 business. 00:16:00.639 --> 00:16:02.480 This should of course be underpinned by 00:16:02.480 --> 00:16:05.040 the risk management methodology and any 00:16:05.040 --> 00:16:07.680 required documented processes to enable 00:16:07.680 --> 00:16:09.279 risk management to be embedded 00:16:09.279 --> 00:16:12.079 throughout the organization. 00:16:12.079 --> 00:16:15.040 So how can URM help? 00:16:15.040 --> 00:16:17.199 URM can offer a range of information 00:16:17.199 --> 00:16:19.680 risk management consultancy and training 00:16:19.680 --> 00:16:22.639 services. Most notably, our accredited 00:16:22.639 --> 00:16:24.720 five-day practitioner certificate in 00:16:24.720 --> 00:16:26.560 information risk management training 00:16:26.560 --> 00:16:27.519 course. 00:16:27.519 --> 00:16:30.240 In addition, URM has also developed an 00:16:30.240 --> 00:16:32.399 information risk management module, 00:16:32.399 --> 00:16:36.000 Abriska 27001, specially to meet the 00:16:36.000 --> 00:16:38.320 risk assessment requirements of ISO 00:16:38.320 --> 00:16:40.160 27001 00:16:40.160 --> 00:16:42.720 For more information email us or give us 00:16:42.720 --> 00:16:45.800 a call.