Effective risk management is essential to achieving ISO 27001 certification and maintaining and improving an information security management system (ISMS). ISO 27001 states clearly that an ISMS should “align with the organisation’s strategic risk management context”, “establish criteria against which risk will be evaluated” and “identify a risk assessment methodology that is suited to the ISMS”. But, while calling for risk management, the Standard does not further define the term or outline any details of a suitable methodology.
ISO/IEC 27005:2011 provides guidelines for information security risk management and supports the general concepts specified in ISO 27001. Last updated in 2011, this standard is designed to assist the implementation of an ISMS based on a risk management approach. In order to gain a complete understanding of ISO/IEC 27005:2011, managers and directors first need to have a knowledge of the concepts, models, processes and terminologies described in ISO 27001 and ISO 27002.
Flexible approach designed for business needs
ISO 27005 allows organisations to select their own approach to risk assessment based on the objectives and assessment aims of the business. This approach is markedly different from other popular risk management standards such as OCTAVE and NIST SP 800-30, which adopt a one-size-fits-all approach and are acknowledged by expert risk managers as tending to restrict business efficiency and productivity.
ISO 27005 supports the flexible needs of a business with the following risk analysis approach:
Assets are classified into primary and supporting categories, where primary assets are information or business processes and supporting assets are related IT systems, infrastructure and people resources. Organisations are required to identify primary assets and supporting assets that could have an impact on the primary asset, typically giving details about asset ownership, location and function.
Threats can be many and varied, and should be monitored on a continuous basis consistent with the business environment and to take into account new and emerging threats.
Identify existing controls
Unlike other risk assessment methodologies, an ISO 27005 risk assessment requires companies to identify all of its existing controls and to take into account the protection provided by these controls before applying any new controls.
Identify vulnerabilities and the impact of their exploitation
Risk = (the probability of a threat exploiting a vulnerability) x (total impact of the vulnerability being exploited)
An ISO 27005 risk assessment supports prioritisation, and risks can either be estimated qualitatively (for example, whether the risk is high, medium or low) or quantitatively (for example, measured in terms of cost or man-hours). Bear in mind that, while quantitative assessment is desirable, probability is often difficult without subjective input.
Learn how to deliver effective ISO 2705 risk management
Our three-day ISO27005 Certified ISMS Risk Management classroom course is designed to provide attendees with the knowledge and skills required to fully implement an effective ISO 27001-compliant risk management programme. The next session is running in London on 16-18 May.