INFORMATION SECURITY RISK MANAGEMENT FOR ISO 27001
ContinuityToday.com
Alan Calder, author of ‘Information Security Risk Management for ISO27001/ISO17799’, explains why risk assessment is the cornerstone of information security management.
In today’s information economy, the development, exploitation and protection of information assets are key to the long-term competitiveness and survival of both corporations and entire economies. The protection of information assets – ‘information security’ – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility.
ISO/IEC 17799: 2005, the international standard setting out best practice in infosecurity, defines information security management as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities’. This responsibility is therefore becoming a critical corporate discipline, ranking alongside marketing, sales, HR and financial management.
A key corporate governance objective is to ensure that the organization has an appropriate balance of risk and reward in its business operations. Enterprise Risk Management increasingly provides the framework within which organizations assess and manage risks in their business plan. Information security management decisions must be based upon a thorough appraisal of the risks facing information assets, making risk assessment the core competence of information security management.
A growing number of organizations are adopting this approach, and several national or proprietary standards for information security risk management have emerged over the last few years. ISO27001 is the international standard for information security management and supports this business- and risk-oriented approach. It requires that information security requirements be identified by a methodical assessment of security risks, so that expenditure on controls or countermeasures may be balanced against the business harm likely to result from security failures.
ISO27001 is explicit in requiring a risk assessment to be carried out before any controls are selected and implemented. It is equally explicit that the selection of every control must be justified by a risk assessment, underlining the central role of risk assessment in information security management.
This standard is increasingly seen as offering a practical solution to the growing range of information-related regulatory requirements, as well as helping organizations to protect their information assets cost-effectively. As a result, a rapidly growing number of companies around the world are seeking certification to ISO27001.
Naturally, the level of assurance that ISO27001 can give will relate directly to the risk assessment and management aspects of creating and maintaining the management system. It is this key aspect that ensures that a consistent level of assurance is achieved across all facets of information security within an organization.
While there are many recognised – and valid – approaches to risk assessment, an organization that wishes to achieve ISO27001 certification must meet the requirements set out in the standard itself. There is no room for half measures: either your risk assessment methodology is in line with the requirements of ISO27001 - in which case accredited certification is within your grasp - or it is not, in which case accredited certification is not going to happen.
This book sets out, clearly and thoroughly, how to carry out such an assessment. It draws on emerging national and international best practice around risk assessment, including BS7799-3:2006. It has been written to provide detailed and practical guidance to information security and risk management teams on how to develop and implement a risk assessment and risk management process that will be in line with the requirements of ISO27001 and which will simultaneously deliver real, bottom-line, business benefits.