Security Techniques Information Security Risk Management
Introduction
Information Security Risk Management, as proposed by this standard, goes beyond specific passwords, firewalls, filters and encryption. Its comprehensive approach, for the time being part of a growing family of ISO/IEC 27000 series of standards in the area of information security management systems, helps businesses take a structured approach of managing information security risks. It is a supportive standard which provides guidelines.
However, this standard does not go into details of giving strict specifications and recommendations or, naming any specific risk analysis method, although it specifies rigorous processes which should to be undertaken by organizations in order to create a risk treatment plan.
What is Information Security Risk Management?
Information Security Risk Management is the coordinated activities to direct and control an organization to effectively assess and address information security risks over time.
Organizations of any size and type can benefit from this standard, by engaging in a comprehensive and systematic preventive, protective, preparatory, and mitigation process. Simply drafting a response plan that anticipates and minimizes the consequence of information security incidents is not sufficient anymore, but organizations also need to take adaptive and proactive measures to reduce the probability of such an event.
An effective information security risk management process as recommended by ISO/IEC 27005 is key to a successful ISMS as the ISO/IEC 27000 series are deliberately risk-aligned, where at first, it is important for organizations to assess risks before coming with management and risk treatment plans.
ISO/IEC 27005 is developed on account of helping organizations improve the information security risk management, and minimize the risk of business disruption.
Although it does not mention them, as a matter of the employment of risk treatment, the standard allows methods such as OCTAVE, EBIOS, MEHARI, and NIST 800-30. Nevertheless, when using this standard, the organization would still learn how to implement, conduct and maintain a formal process of risk assessment, risk treatment, risk acceptance, communication, consultation, monitoring and review.
Key clauses of ISO/IEC 27005:2011
ISO/IEC 27005 is organized into the following main clauses:
Clause 5: Background
Clause 6: Overview of the information security risk management process
Clause7: Context establishment
Clause 8: Information security risk assessment Clause 9: Information security risk treatment Clause 10: Information security risk acceptance
Clause 11: Information security risk communication and consultation
Clause 12: Information security risk monitoring and review
Clause 5: Background
The information security risk management process can be applied to part of an organization (i.e department, physical location, service), or to the organization as a whole, and to any information system. It is necessary that the approach to information security risk management is systematic, so that it can be effective. The approach should also be aligned with the overall objectives of the organization.
Clause 6: Overview of the information security risk management process
ISO/IEC 27005:2011 proposes a risk management process which follows 7 stages shown in the table below:
These stages can be repeated in a cyclical process, and throughout this process, there should be proper risk communication and consultation in place.
Clause 7: Context establishment
This clause gives guidance regarding the information about the organization relevant to the information security risk management context establishment. It defines the basic criteria which needs to be established for the risk management approach, risk evaluation, impact, and risk acceptance.
Basic Criteria
An appropriate risk management approach addressing the basic criteria needs to be selected. Moreover, the organization has to assess the availability of the necessary resources to:
- Perform risk assessment and establish a risk treatment plan
- Define and implement policies and procedures, including implementation of the controls selected
- Monitor controls
- Monitor the information security risk management process.
Afterwards, there are a few issues which need to be considered when developing the risk evaluation criteria, such as:
- The strategic value of the business information process
- The criticality of the information assets involved
- Legal and regulatory requirements, and contractual obligations
- The operational and business importance of availability, confidentiality and integrity
- The expectations and perceptions of stakeholders, and negative consequences for goodwill and reputation
The impact criteria should also be determined, so that it shows how an information security event would have an impact on information assets, operations, business, financial value, plans, deadlines, reputation, and legal, regulatory or contractual requirements.
The criteria on risk acceptance depends on the organization, and may include e.g. multiple thresholds with a desired target level of risk, under the exceptions approved by top management. These criteria can be expressed as a ratio of estimated profit to the estimated risk.
Scope and boundaries
The scope of information security risk management needs to be defined by the organization. This enables the organization to make sure that relevant assets are considered in the risk assessment. The scope of information security usually consists of the organization’s strategic business objectives, functions, legal requirements, contractual requirements, information security policy, overall approach to risk, geographical locations, constraints and interference.
Scope and boundaries
Information security risks should to be managed through an organization which needs to develop the information security risk management processes, the analysis of stakeholders, to define the responsibilities of each internal and external party, and the decision escalation path, and specify records which need to be kept.
Clause 8: Information security risk assessment
Risk assessment determines the value of the information assets, identifies the applicable threats and vulnerabilities that exist (or may exist), the existing controls and their effect on the risk identified, determines the potential consequences, and finally prioritizes the derived risks and ranks them against the risk evaluation criteria set in the context establishment.
The following activities are involved in the risk assessment:
- Risk identification
- Risk analysis
- Risk evaluation
Risk identification
The purpose of risk identification is to determine what may happen to cause a potential loss, and to gain an insight into how, where and why the loss might happen. Risk identification includes the following steps:
- Identification of assets – including more than just hardware and software
- Identification of threats – probable to be of natural or human origin, and could be accidental or deliberate.
- Identification of existing controls – a list of controls can be found in ISO/IEC 27001
- Identification of vulnerabilities – probable to exist in the organization, processes and procedures, management routines, personnel, physical environment, information system configuration, hardware, software or communications equipment, dependence on external parties
- Identification of consequences – possible to be manifested as a loss of effectiveness, adverse operating conditions, loss of business, reputation, damage, etc.
Risk analysis
The sub-clause of risk analysis is divided into three important sections:
- Risk analysis methodologies – can be divided into qualitative and quantitative.
- Assessment of consequences – heavily reliant on asset valuation.
- Assessment of incident likelihood – takes into account how often the threats occur, and how easily the vulnerabilities may be exploited.
- Level of risk determination – outputs a list of risks with values levels assigned.
Risk evaluation
Taking into the consideration the new understandings obtained from the risk analysis, risk evaluation also involves the decisions which need to be taken in cases when an activity should be taken or not, or what are the priorities for risk treatment, considering the estimated levels of risk.
Clause 9: Information security risk treatment
According to this clause, risk can be treated through risk modification, risk retention, risk avoidance and risk sharing, a selection based on risk assessment outcomes and a cost-benefit analysis.
Risk modification: This is achieved through changing the controls which may protect assets through correction, elimination, prevention, impact minimization, deterrence, detection, recovery, monitoring and awareness. When changing the controls, it is important to make sure that the solution is sufficient for both performance requirements and information security. Usually, constraints are a hindrance when trying to change the controls to modify the risk such as time, financial and technical constraints, etc.
Risk retention: If according to risk evaluation the results show that the risk is acceptable, it can simply be retained with no need to change any controls.
Risk avoidance: This can be achieved through completely avoiding an activity or risk which gives a rise to the condition. This option is suitable when the costs of treating a risk are too high, or the risk itself is too high.
Risk sharing: This risk treatment option involves other parties such as insurance companies, or sub- contractors who would monitor the information system against an attack. However, this does not mean that the liability is shared, since the responsibility for the consequences still lies with the organization.
Clause 10: Information security risk acceptance
Following the risk treatment, an organization needs to make decisions about the risk acceptance of the residual risk which has been reviewed and approved by the responsible managers. As a result, accepted risks are listed by the organization with justification for the risks that do not meet the organization’s normal risk acceptance criteria.
Clause 11: Information security risk communication and consultation
According to this clause, information security risks need to be communicated between the responsible individuals and the stakeholders. This communication of information security risk should provide assurance of the outcome of the risk management, share the results of the risk assessment, support decision-making, improve awareness, etc. A risk communication plan should be developed by the organization for both, normal operations and emergency situations. The outcome of all this should be a continual understanding of the organization’s information security risk management process and results.
Clause 12: Information security risk monitoring and review
This clause provides monitoring and review for the information security risk factor as well as for the risk management.
Monitoring and review of risk factors: Since risks may change due to changes in vulnerabilities, likelihood or consequences, the organization needs constant monitoring. Especially, the organization needs to make sure to monitor the following:
- New assets within the scope of risk management
- Modified asset values
- New threats
- New vulnerabilities
- Increased impact or consequences which result in unacceptable level of risk
- Information security incidents
Monitoring and review of risk management, and improvement: On going monitoring and review of information security risk management are necessary so that the organization can make sure that the context, the risk assessment outcome, risk treatment and management plans remain relevant and appropriate to the circumstances. Further, the necessary improvements need to be made with the knowledge of appropriate managers. The issues which need to be addressed at this stage are: old criteria verification, legal and environmental context, competition context, risk assessment approach, asset values and categories, total cost of ownership and necessary resources. The result of this monitoring and improvement could be the modification or addition to the approach, methodology, or tools used in the risk management process.
ISO/IEC 27000 family of standards
ISO/IEC 27005 is a supporting and informative standard to other standards, and especially those related to Information Security. For a partial list of those standards, examples in the table below:
Link with other information security standards and methods
There are other widely used standards which are related to ISO/IEC 27005, such as:
- ISO 31000
- OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation
- EBIOS – Expression des Besoins et Identification des Objectifs de Sécurité developed by ANSSI in France
- MEHARI method – Method for Harmonized Analysis of Risk
- NIST 800-30 – National Institute of Standards and Technology
- Harmonized TRA method – (The Right Approach)
Links with ISO/IEC 27001 and ISO 31000
ISO/IEC 27005 is closely linked with the parts of ISO/IEC 27001 which deal with risk management. ISO/ IEC 27005’s generic framework on risk management applied to information security is actually a detailed elaboration of Clauses 4.2.1c to 4.2.1h, and 4.2.3d of ISO/IEC 27001, also closely linked with the generic framework on the risk management of ISO 31000. ISO/IEC 27005:2011 is aligned to the generic requirements of risk management as presented in ISO 31000.
Information security risk management – the business benefits
As with all major undertakings within an organization, it is essential to gain the backing, support and sponsorship of the executive management. Often the best way to achieve this is to illustrate advantage of having an effective information security risk management process in place, rather than highlight the negative aspects of the contrary.
An organization which adopts ISO/IEC 27005 – Information Security Risk Management – will attain a number benefits, including the following:
- Increase the likelihood of achieving information security objectives and the general objectives of the organization
- Encourage proactive information security management
- Be aware of the need to identify and treat information security risk throughout the organization
- Improve the identification of opportunities and threats to the information security
- Comply with relevant legal and regulatory requirements and international norms
- Improve mandatory and voluntary reporting
- Improve governance
- Improve stakeholder confidence and trust
- Establish a reliable basis for decision making and planning
- Improve controls
- Effectively allocate and use resources for information security risk treatment
Implementation of Information Security Risk Management
Making the decision to implement an information security management system based on ISO/IEC 27005 most of the time, is a very simple one, as the benefits are well documented. Most companies now realize that it is not sufficient to implement a generic, “one size fits all” information security plan.
A framework has been developed by PECB for information security risk management as shown below:
The table below gives a short description on official training courses for Information Security Risk Management based on ISO/IEC 27005.
Choosing the right certification
The “Certified ISO/IEC 27005 Risk Manager” credential is a professional certification for professionals needing to demonstrate the competence to implement, maintain and manage an ongoing information security risk management program according to ISO/IEC 27005, while the Provisional Risk Manager is granted to those who do not have sufficient professional experience, but have finished the training and passed the exam.
Based on your overall professional experience and acquired qualifications, you will get granted one of these certifications.