Risk Assessment for ISO/IEC 27001:2005
Risk assessment is the core competence of information security management
Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.
The key book on risk assessment is Information Security Risk Management for ISO27001/ISO17799 (Alan Calder and Steve G Watkins, ITGP, 2007) and
vsRisk™ - IS the definitive ISO27001 Risk Assessment Tool.
In today’s information economy, the protection of information assets – ‘information security’ – is rapidly overtaking physical asset protection as a fundamental public sector governance responsibility. Information security management (defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities’, is becoming a critical business discipline, in both the private and public sectors.
Risk Assessment Standards
ISO/IEC 27001:2005 (‘ISO27001’) is a specification that sets out the requirements for an information security management system (‘ISMS’). ISO27001 is explicit in requiring a risk assessment to be carried out before any controls are selected and implemented and is equally explicit that the selection of every control must be justified by a risk assessment. The risk assessment must, for each asset within scope, identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of that asset - from a business, compliance or contractual perspective.
There are a number of other information security and risk assessment standards that support or are similar to ISO27001, including:
- ISO/IEC 27002:2005 (which was ISO/IEC 17799:2005)
- BS7799-3:2006
- ISO/IEC TR 13335-3:1998
- NIST SP 800-26 and NIST SP 800-30
- The UK Risk Assessment Standard
ISO27001 is increasingly seen as offering a practical solution to the requirements of the UK's Data Protection Act as well as helping organizations more cost-effectively counter today’s increasingly sophisticated and varied range of information security threats. As a result a growing number of private and public sector organizations around the world are seeking certification to ISO27001.
An ISMS developed and based on risk acceptance/rejection criteria, and using third party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. Such an ISMS offers the opportunity to define and monitor service levels internally as well as in contractor/partner organizations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.
Risk Assessment Tools
It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few. There are two standalone tools that are worth assessing:
vsRisk™ - the definitive ISO27001 Risk Assessment Tool, and
