If you’re familiar with ISO 27001, you’ll know that it’s the international standard for information security and contains the certification requirements that are expanded upon throughout the ISO 27000 series.
There are 46 standards in total in the series (although only a few apply to every organisation), of which ISO 27005, the risk management standard, is arguably the most important and easiest to get wrong.
What is risk management?
Risk management is the process of analysing how an organisation will be affected by a disruptive incident and what the consequences might be. This includes any scenario in which the confidentiality, integrity and availability of data is compromised.
Assessing these risks helps inform your decision about the best way to reduce risk to an acceptable level.
Getting this process right is essential, because your entire ISMS (information security management system) is shaped around your response to risks. You need an accurate estimation of how risks will play out in order to prioritise the biggest threats and adopt the appropriate controls.
What does ISO 27005 say?
As with every standard in the ISO 27000 series, ISO 27005 doesn’t prescribe a specific approach to risk management. This is because organisations have their own challenges and must tackle them in a way that suits them.
This is markedly different from other popular risk management standards such as OCTAVE and NIST SP 800-30, which adopt a one-size-fits-all approach and are perceived to restrict business efficiency and productivity.
That’s not to say organisations have to figure everything out themselves. ISO 27005 provides a detailed but flexible structure to meet its requirements, comprising five stages.
- Identify assets: First, you need to locate every piece of information you hold and determine whether it is a ‘primary’ or ‘supporting’ asset. Primary assets are information or business processes, and supporting assets are related IT systems, infrastructure and people resources. Organisations are required to identify primary assets, and supporting assets that could have an impact on the primary asset, typically giving details about asset ownership, location and function.
- Identify threats: Threats are many and varied, and should be continuously monitored to take into account new and emerging threats.
- Identify vulnerabilities: Your organisation will have weaknesses in its technology, people (human error, malicious action, social engineering, etc.) and processes, all of which need to be identified.
- Identify existing controls: Unlike other risk assessment methodologies, an ISO 27005 risk assessment requires an organisation to identify all of its existing controls and to take into account the protection provided by these controls before applying any new ones.
ISO 27005 encourages organisations to focus their response efforts on the biggest threats, so you should use the information you’ve gathered about your assets, vulnerabilities and threats to prioritise the biggest risks.
There are many ways to do this, but the most common approach involves the following equation:
Risk = (the probability of a threat exploiting a vulnerability) x (total impact of the vulnerability being exploited)
Now that you know the level of risk that each threat poses, you need to decide how you’ll treat them. There are four options:
- Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
- Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them off-site. This option will make things less convenient for your employees but will drastically improve your security posture.
- Share the risk with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
- Retain the risk. This means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.
The method you choose depends on your circumstances. Avoiding the risk is the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible. For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.
You’ll therefore be required to modify most risks. This involves selecting the relevant information security controls, which are outlined in Annex A of ISO 27001 and explained further in ISO 27002.
You need to keep a record of how you are tackling the risk and inform anyone who might be affected.
For example, if you’ve modified the risk of certain sensitive documents being misappropriated by applying access controls to them, you should tell your employees. This ensures that, should a staff member be denied access when they have a legitimate need to view the information, they know what the issue is and what action to take.
Likewise, if you’re avoiding a risk by no longer doing whatever it is that caused the problem, you also need to pass on the message to your staff.
Risk management (and ISO 27001 compliance generally) is an ongoing process, so you need to regularly monitor your management plan. This serves two purposes. First, it enables you to check whether the treatment options you selected are working as intended. You might find that a control you implemented isn’t addressing the risk as well as you’d hoped or that it’s simply not appropriate. Likewise, you might have chosen to avoid certain risks but found that they are still present.
Second, it enables you to assess the changing threat landscape. New risks will have emerged and existing ones might have transformed, forcing you to reassess your priorities and your approach to risk management.
Written by Luke Irvin, IT Governance.