Discover millions of ebooks, audiobooks, and so much more with a free trial

From $11.99/month after trial. Cancel anytime.

Information Security Risk Management for ISO27001/ISO27002
Information Security Risk Management for ISO27001/ISO27002
Information Security Risk Management for ISO27001/ISO27002
Ebook237 pages2 hours

Information Security Risk Management for ISO27001/ISO27002

Rating: 4.5 out of 5 stars

4.5/5

()

Read preview

About this ebook

Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.

LanguageEnglish
Publisheritgovernance
Release dateApr 27, 2010
ISBN9781849281492
Information Security Risk Management for ISO27001/ISO27002
Author

Steve Watkins

STEVE WATKINS is a professor of English at the University of Mary Washington. He is the author of a collection of stories, My Chaos Theory, and two young adult novels, Down Sand Mountain and What Comes After. Watkins is also an award-winning journalist whose work has appeared in publications including LA Weekly, Poets and Writers, and the Nation.

Read more from Steve Watkins

Related to Information Security Risk Management for ISO27001/ISO27002

Related ebooks

Security For You

View More

Related articles

Reviews for Information Security Risk Management for ISO27001/ISO27002

Rating: 4.333333333333333 out of 5 stars
4.5/5

3 ratings2 reviews

What did you think?

Tap to rate

Review must be at least 10 words

  • Rating: 4 out of 5 stars
    4/5
    A must read book for every ISO 27001 Lead Auditor and Implementor
  • Rating: 5 out of 5 stars
    5/5
    This book is exactly what I needed to guide me to leading my organization to ISO27001

Book preview

Information Security Risk Management for ISO27001/ISO27002 - Steve Watkins

Resources

INTRODUCTION

In today’s information economy, the development, exploitation and protection of information assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility. Information security management, defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities’,¹ is becoming a critical corporate discipline, alongside marketing, sales, HR and financial management.

A key corporate governance objective is to ensure that the organisation has an appropriate balance of risk and reward in its business operations and, as a consequence, enterprise risk management (ERM) increasingly provides a framework within which organisations can assess and manage risks in their business plan. The recognition of substantial, strategic risk in information and communication technologies has led to the development of IT governance.²

The changing global economy, together with recent corporate and IT governance developments, all provide the context within which organisations have to assess risks to the information assets on which their organisations, and the delivery of their business plan objectives, depend. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment process in relation to identified risks and specific information assets.

Risk assessment is, therefore, the core competence of information security management.

The early clauses of ISO/IEC 27002:2005 (ISO27002), the international code of best practice for information security management systems, support this business- and risk-oriented approach. Information security requirements should be ‘identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures’.³

A growing number of organisations are adopting this approach to the management of risk. A number of national or proprietary standards that deal with information security risk management have emerged over the last few years. They all have much in common. ISO27001 is the international standard for information security management and provides an approach to risk management which is consistent with all other guidance. This approach is also appropriate for organisations complying with the PCI DSS.

Of course, every organisation needs to determine its criteria for accepting risks, and identify the levels of risk it will accept. It is a truism to point out that there is a relationship between the levels of risk and reward in any business. Most businesses, particularly those subject to the Sarbanes-Oxley Act of 2002 and, in the UK, the Turnbull Guidance within the Combined Code on Corporate Governance, will want to be very clear about which risks they will accept and which they won’t, the extent to which they will accept risks and how they wish to control them. Management needs to specify its approach, in general and in particular, so that the business can be managed within that context. As we have already indicated, risk assessment, as an activity, should be approached within the context of the organisation’s broader enterprise risk management (ERM) framework.

Whilst ISO27002 is a code of practice, ISO/IEC 27001:2005 (ISO27001) is a specification that sets out the requirements for an information security management system (ISMS). ISO27001 is explicit in requiring a risk assessment to be carried out before any controls⁵ are selected and implemented, and is equally explicit that the selection of every control must be justified by a risk assessment. Risk assessment, as we’ve already said, is therefore, the core competence of information security management.

Organisations that design and implement an ISMS in line with the specification of ISO27001 can have it assessed by a third party certification body and if, after audit, it is found to be in line with ISO27001, an accredited certificate of conformity can be issued.

This standard is increasingly seen as offering a practical solution to the growing range of information-related regulatory requirements, as well as helping organisations to more cost-effectively counter the increasingly sophisticated and varied range of information security threats in the modern information economy.⁷ As a result, a rapidly growing number of companies around the world are seeking certification to ISO27001.

An ISMS developed and based on risk acceptance/rejection criteria, and using third party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. Such an ISMS offers the opportunity to define and monitor service levels internally, as well as in contractor/partner organisations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.

It is becoming increasingly common for ISO27001 certification to be a pre-requisite in service specification procurement documents and, as buyers become more sophisticated in their understanding of the ISO27001 accredited certification scheme, so they will increasingly set out their requirements more specifically, not only in terms of certification itself, but also in respect to the scope of the certification and the level of assurance they require. This rapid maturing in the understanding of buyers, as they seek greater assurance from an accredited certification to ISO27001, is driving organisations to improve the quality of their ISMS and, by definition, to improve the granularity and accuracy of their risk assessments.

The level of assurance relates, of course, directly to the risk assessment and management aspects of creating and maintaining an ISO27001-compliant ISMS. It is this key aspect that ensures that a consistent level of assurance is achieved across all facets of information security within an organisation.

ISO27001 is a specification for an ISMS. As we have said, it is based on risk assessment, both initially and on an ongoing basis. ISO27001 goes so far as to specify the steps that an information security risk assessment must go through, and the level of granularity required of it. While there are many recognised – and valid – approaches to risk assessment, an organisation that wishes to achieve ISO27001 certification must meet the requirements set out in the standard itself. There is no room for half measures: either a risk assessment methodology is in line with the requirements of ISO27001, in which case accredited certification is within reach, or it is not, in which case accredited certification is not going to happen.

This book has been written to expand on guidance that is already contained within other ISO27001 implementation books⁸ by the same authors. It draws on emerging national and international best practice around risk assessment, including ISO/IEC 27005:2008 (ISO27005). It has been written to provide detailed and practical guidance to information security and risk management teams on how to develop and implement a risk assessment and risk management process that will be in line with the requirements of ISO27001, that will reflect the best practice guidance of ISO27005, and which will simultaneously deliver real, bottom-line, business benefits.

1  ISO/IEC 27002:2005, clause 0.1 ‘What is information security?’

2  Other books by the same authors discuss these issues in greater detail. See, for instance, International IT Governance: An Executive Guide to ISO 27001/ISO 17799 (Kogan Page, 2006).

3  ISO/IEC 27002:2005, clause 0.4 ‘Assessing security risks’.

4  Payment Card Industry Data Security Standard, in version 1.2 at the time this book was published.

5  A ‘control’ can be thought of as a countermeasure, or mitigation, for a risk. See A Dictionary of Information Security Terms, Abbreviations and Acronyms (ITGP, 2007).

6  There is a full description of the process of accredited certification in IT Governance: A Manager’s Guide to Data Security and ISO 27001/ISO 27002 by Alan Calder and Steve Watkins (Kogan Page, 2008).

7  See The Case for ISO 27001 by Alan Calder (ITGP, 2005) for detailed coverage of the business, contractual and regulatory reasons that should lead an organisation to consider developing an ISMS in line with the ISO27001 specification.

8  See, in particular, IT Governance: A Manager’s Guide to Data Security and ISO 27001/ISO 27002 (Kogan Page, 2008) and International IT Governance: An Executive Guide to ISO 27001/ISO 17799 (Kogan Page, 2006). Note also the range of ISO27001 implementation guidance titles listed in the resources section at the back of the book.

CHAPTER 1: RISK MANAGEMENT

‘Risk’, says NIST,¹⁰ is the ‘net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence’.¹¹ ISO27001, the international information security standard, doesn’t define risk, although it does provide definitions for the whole range of risk-related activities. ISO/IEC 27000:2009 Information Security Management Systems – Overview and Vocabulary (ISO27000) defines risk in the same way as does ISO Guide 73:2002,¹² which is that risk is the ‘combination of the probability of an event and its occurrence’.

The NIST definition of risk is in line with that used in ISO27000, and is the first indicator that a risk assessment that will meet the requirements of ISO27001 will also be in line with the NIST recommendations. ISO27005 defines information security risk as the ‘potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization’, and ISO27001 follows this definition.

All organisations face risks of one sort or another on a daily basis and ISO27001 expects that an organisation’s information security management policy will align with ‘the organization’s strategic risk management context’¹³. It is therefore appropriate to consider, briefly, the organisational risk management context.

Risk management: two phases

Risk management is the process that allows managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organisation’s missions.¹⁴

Organisations develop and implement risk management strategies in order to reduce negative impacts and to provide a structured, consistent basis for making decisions around risk mitigation options. Risk management has two phases: risk assessment and risk treatment.

•  Risk assessment is the process of identifying threats and assessing the likelihood of those threats exploiting some organisational vulnerability, as well as the potential impact of such an event occurring.

•  Risk treatment is the process of responding to identified risks.

Risk assessment, also known as risk analysis, is the process by which risks are identified and assessed. The assessment process then stops. Any decisions and/or actions taken in light of the risk assessment are taken outside the risk assessment process, and are part of the risk treatment plan which, together with the risk assessment process, is the other constituent of risk management. Risk management is the superset of, and therefore includes, risk assessment.

Risk assessment/analysis and risk treatment are the two sub-processes of risk management

Figure 1: Risk management

While it is true to say that the risk management process starts with a risk assessment, it is helpful to have a broader understanding of the overall environment in which most risk management activity takes place.

Risk management, as we have said, includes both risk assessment (or analysis) and risk treatment, and is a discipline that exists to deal with non-speculative risks, those risks from which only a loss can occur. In other words, speculative risks, those from which either a profit or a loss can occur, are the subject of the organisation’s business strategy, whereas non-speculative risks, those risks which can reduce the value of the assets with which the organisation undertakes its speculative activity, are (usually) the subject of a risk management plan (in ISO27001, a ‘risk treatment plan’). These non-speculative risks are sometimes called permanent or ‘pure’ risks, in order to differentiate them from the crisis and speculative types.

Risk management plans usually have four, linked, objectives. These are to:

•  eliminate risks;

•  reduce those that can’t be eliminated to ‘acceptable’ levels; and then

Enjoying the preview?
Page 1 of 1