InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The document “Step-by-Step Explanation of ISO 27001/ISO 27005 Risk Management” by Advisera Expert Solutions offers a comprehensive guide to implementing effective information security risk management in alignment with ISO 27001 and ISO 27005 standards. It aims to demystify the process, providing practical steps for organizations to identify, assess, and treat information security risks efficiently. Advisera
1. Introduction to Risk Management
Risk management is essential for organizations to maintain competitiveness and achieve objectives. It involves identifying, evaluating, and treating risks, particularly those related to information security. The document emphasizes that while risk management can be complex, it doesn’t have to be unnecessarily complicated. By adopting structured methodologies, organizations can manage risks effectively without excessive complexity.
2. Six Basic Steps of ISO 27001 Risk Assessment and Treatment
The risk management process is broken down into six fundamental steps:
Risk Assessment Methodology: Establishing consistent rules for conducting risk assessments across the organization.
Risk Assessment Implementation: Identifying potential problems, analyzing, and evaluating risks to determine which need treatment.
Risk Treatment Implementation: Developing cost-effective strategies to mitigate identified risks.
ISMS Risk Assessment Report: Documenting all activities undertaken during the risk assessment process.
Statement of Applicability: Summarizing the results of risk treatment and serving as a key document for auditors.
Risk Treatment Plan: Outlining the implementation of controls, including responsibilities, timelines, and budgets.
Management approval is crucial for the Risk Treatment Plan to ensure the necessary resources and commitment for implementation.
3. Crafting the Risk Assessment Methodology
Developing a clear risk assessment methodology is vital. This involves defining how risks will be identified, analyzed, and evaluated. The methodology should ensure consistency and objectivity, allowing for repeatable and comparable assessments. It should also align with the organization’s context, considering its specific needs and risk appetite.
4. Identifying Risks: Assets, Threats, and Vulnerabilities
Effective risk identification requires understanding the organization’s assets, potential threats, and vulnerabilities. This step involves creating an inventory of information assets and analyzing how they could be compromised. By mapping threats and vulnerabilities to assets, organizations can pinpoint specific risks that need to be addressed.
5. Assessing Consequences and Likelihood
Once risks are identified, assessing their potential impact and the likelihood of occurrence is essential. This evaluation helps prioritize risks based on their severity and probability, guiding the organization in focusing its resources on the most significant threats. Both qualitative and quantitative methods can be employed to assess risks effectively.
6. Implementing Risk Treatment Strategies
After assessing risks, organizations must decide on appropriate treatment strategies. Options include avoiding, transferring, mitigating, or accepting risks. Selecting suitable controls from ISO 27001 Annex A and integrating them into the Risk Treatment Plan ensures that identified risks are managed appropriately. The plan should detail the implementation process, including responsible parties and timelines.
7. Importance of Documentation and Continuous Improvement
Documentation plays a critical role in the risk management process. The ISMS Risk Assessment Report and Statement of Applicability provide evidence of the organization’s risk management activities and decisions. These documents are essential for audits and ongoing monitoring. Furthermore, risk management should be a continuous process, with regular reviews and updates to adapt to changing threats and organizational contexts.
By following these structured steps, organizations can establish a robust risk management framework that aligns with ISO 27001 and ISO 27005 standards, enhancing their information security posture and resilience.
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.
Here’s how we help:
Conduct gap assessments to identify compliance challenges and control maturity
Deliver straightforward, practical steps for remediation with assigned responsibility
Ensure ongoing guidance to support continued compliance with standard
Confirm your security posture through risk assessments and penetration testing
Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
Third-party risk assessments are often described as time-consuming, repetitive, overwhelming, and outdated. Think about it: organizations, on average, have over 5,000 third parties, meaning they may feel the need to conduct over 5,000 risk assessments. In the old school method, that’s 5,000 redundant questionnaires. 5,000 long-winded Excel sheets. No wonder they feel this way.
The reason why risk assessments have become so dreaded is that it has always been a process of individual inspection and evaluation. For perspective, that’s roughly 14 risk assessments completed per day in the span of one year. How can we expect security, risk, and procurement professionals to get any other work done with this type of task on their plate? With the state of today’s threat landscape, wouldn’t you rather your security team be focused on actual analysis and mitigation, rather than just assessing? And, not to mention the fact that a tedious risk assessment process will contribute to burnout that can lead to poor employee retention within your security team. With how the cybersecurity job market is looking now, this isn’t a position any organization wants to be in.
So, now that you know how the people actually with their ‘hands in the pot’ feel about risk assessments, let’s take a look at why this approach is flawed and what organizations can do to build a better risk assessment process.
The never-ending risk assessment carousel ride
The key to defeating cybercriminals is to be vigilant and proactive. Not much can be done when you’re reacting to a security incident as the damage is already done. Unfortunately, the current approach to risk management is reactive, and full of gaps that do not provide an accurate view into overall risk levels. How so? Current processes only measure a point-in-time and do not account for the period while the assessment is being completed–or any breaches that occurred after the assessment was submitted. In other words, assessments will need to be routinely refilled out, a never-ending carousel ride, which is not feasible.
It should come to no surprise that assessments are not updated nearly as much as they should be, and that’s to no one’s fault. No one has the time to continually fill out long, redundant Excel sheets. And, not to mention, unless the data collected is standardized, very little can be done with it from an analysis point of view. As a result, assessments are basically thrown in a drawer and never see the light of day.
Every time a third-party breach occurs there is a groundswell of concern and company executives and board members immediately turn to their security team to order risk assessments, sending them on a wild goose chase. What they don’t realize is that ordering assessments after a third-party breach has occurred is already too late. And the organizations that are chosen for a deeper assessment are most likely not the ones with the highest risk. Like a never-ending carousel ride, the chase for risk assessments will never stop unless you hop off the ride now.
Show me the data!
The secret ingredient for developing a better risk management collection process is standardized data. You can’t make bread without flour, and you can’t have a robust risk management program without standardized data. Standardized data is the process of gathering data in a common format, making it easier to conduct an analysis and determine necessary next steps. Think of it this way, if you were looking at a chart comparing student test grades and they were all listed in various formats (0.75, 68%, 3/16, etc.), you would have a difficult time comparing these data points. However, if all the data is listed in percentages (80%, 67%, 92%, etc.), you could easily identify who is failing and needs more support in the classroom. This is the way using standardized data in the risk assessment process works. All data collected from assessments would be in the same format and you can understand which third parties are high risk and require prioritized mitigation.
CISOs who are still focused on point-in-time assessments are not getting it right. Organizations need to understand that risk assessment collection alone does not in fact equal reduced risk. While risk assessments are important, what you do with the risk assessment after it is complete is what really matters. Use it as a catalyst to create a larger, more contextual risk profile. Integrate threat intelligence, security ratings, machine learning, and other data sources and you’ll find yourself with all the data and insights you need and more to proactively reduce risk. You’ll be armed with the necessary information to mitigate risk and implement controls before the breach occurs, not the rushed patchwork after. A data-driven approach to third-party risk assessment will provide a more robust picture of risk and put an end to chasing assessments once and for all.
The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
There are 3 appendices related to this document. The appendices are not included in the price of this document and can be purchased separately
The purpose of this table is to list all information resources, vulnerabilities and threats, and assess the level of risk. The table includes catalogues of vulnerabilities and threats.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
This document is an appendix. The main document is not included in the price of this document and can be purchased separately
The purpose of this table is to determine options for the treatment of risks and appropriate controls for unacceptable risks. This table includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
This document is an appendix. The main document is not included in the price of this document and can be purchased separately
The purpose of this document is to define which controls are appropriate to be implemented in the organization, what are the objectives of these controls, how they are implemented, as well as to approve residual risks and formally approve the implementation of the said controls.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
The purpose of this document is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
Information risk management is the process of identifying the ways an organisation can be affected by a disruptive incident and how it can limit the damage.
It encompasses any scenario in which the confidentiality, integrity and availability of data is compromised.
As such, it’s not just cyber attacks that you should be worried about. Information risk management also includes threats within your organisation – such as negligent or malicious employees – as well as residual risks.
For example, the framework can help you address misconfigured databases, software vulnerabilities and poor security practices at third parties.
In this blog, we take a closer look at the way information risk management works and how organisations can use its guidance to bolster their security defences.
Why is information risk management important?
In the face of ever-growing cyber threats, it can be difficult for an organisation to protect its information assets.
Last year, the World Economic Forum listed cyber crime alongside COVID-19, climate change and the debt crisis as the biggest threats facing society in the next decade. It’s clear, then, that organisations need a plan for identifying and addressing security risks.
With an information risk management system, organisations gain a better understanding of where their information assets are, how to protect them and how to respond when a breach occurs.
One way it does this is by forcing organisations to not only identify but also assess their risks. This ensures that organisations prioritise scenarios that are most likely to occur or that will cause the most damage, enabling them to make informed decisions in line with their security budget.
How risk management works
To understand how risk management programmes work, we need to take a closer look at what ‘risk’ actually is.
In an information security context, risk can be defined as the combination of a vulnerability and a threat.
As we’ve previous discussed, a vulnerability is a known flaw that can be exploited to compromise sensitive information.
These are often related to software flaws and the ways that criminal hackers can exploit them to perform tasks that they weren’t intended for.
They can also include physical vulnerabilities, such as inherent human weaknesses, such as our susceptibility to phishing scams or the likelihood that we’ll misplace a sensitive file.
This is different from a threat, which is defined as the actions that result in information being compromised.
So, to use the examples above, threats include a criminal hacker exploiting a software flaw or duping an employee with a bogus email.
When a threat meets a vulnerability, you get a risk. In the case of the criminal hacker phishing an employee, the risk is that the attacker will gain access to the employee’s work account and steal sensitive information. This can result in financial losses, loss of privacy, reputational damage and regulatory action.
A risk management system helps organisations identify the ways in which vulnerabilities, threats and risks intertwine. More importantly, it gives organisations the ability to determine which risks must be prioritised and identify which controls are best equipped to mitigate the risk.
Start protecting your business
At the heart of risk management is the risk assessment. This is the process where threats and vulnerabilities are identified. Organisations can use the result of the assessment to plan their next moves.
With vsRisk, you’ll receive simple tools that are specifically designed to tackle each part of the risk assessment.
This software package is:
Easy to use. The process is as simple as selecting some options and clicking a few buttons.
Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
Streamlined and accurate. Drastically reduces the chance of human error.
Conducting an asset-based risk assessment in ISO 27001:2013 – Vigilant Software
The nature of ISO27001 is that it is heavily focused on risk-based planning. This is to ensure that the identified information risks are appropriately managed according to the threats and the nature of the threats. While asset-based risk assessments are still widely regarded as best practice, and present a robust methodology for conducting risk assessments, it is no longer a requirement under ISO 27001:2013. ISO 27001:2013 leaves it to the organisation to choose the relevant risk assessment methodology, i.e. ISO 27005, or ISO/IEC 31010.
It is commonly believed that an asset-based information security risk assessment provides a thorough and comprehensive approach to conducting a risk assessment, and this article will look at the steps to follow when conducting this type of risk assessment.
Where do you start when you embark on an asset-based information security risk assessment?
The first step would be to produce an asset register, which can be done through a series of interviews with asset owners. The ‘asset owner’ is an individual or entity that has responsibility for controlling the production, development, maintenance, use and security of an information asset.
Note: In the new standard, ISO 27001:2013, there is a stronger emphasis on the role of the ‘risk owner’, which pushes up the responsibility for the risks to a higher level within the organisation. However, since the approach we are following is an asset-based methodology, the asset owner would be the logical point to start in order to compile an asset register.
Once the asset register has been compiled, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability / weakness of an asset or control can be defined as one that can be exploited by one or more threats.
Risk assessment & impact determination
Once the threats and vulnerabilities have been identified, then an analysis of the risks should be undertaken, to establish the impact level of the risks. The impact value needs to take into consideration how the Confidentiality, Integrity and Availability of data can be affected by each of the risks.
It should also consider the business, legal, contractual and regulatory implications of risks, including the cost of the replacement of the asset, the potential loss of income, fines and reputational damage.
ISO 27005 presents a structured, systematic and rigorous process of analysing risks, and for creating the risk treatment plan, and includes a list of known threats and vulnerabilities that can be used for establishing the risks your information assets are exposed to.
vsRisk comes with an optional, pre-populated asset library. Organisational roles are pre-assigned to each asset group, and the corresponding potential threats / risks are pre-applied to each asset. vsRisk also pre-assigns the relevant controls from Annex A to each threat. See sample below. View options to purchase vsRisk now.
vsRisk™ provides key benefits for anyone undertaking an asset-based risk assessment.
By providing a simple framework and process to follow, vsRisk minimises the manual hassle and complexity of carrying out an information security risk assessment, saving the risk assessor time and resources. In addition, once the assessment has been completed, the risk assessments can be repeated easily in a standard format year after year. The tool generates a set of 6 reports that can be exported and edited, presented to management and audit teams, and includes pre-populated databases of threats and vulnerabilities as well as 7 different control sets that can be applied to treat the risks.
vsRisk is fully aligned with ISO 27001:2013 and helps you conduct an information security risk assessment quickly and easily. The upgrade includes three key changes to functionality: custom acceptance criteria, a risk assessment wizard and control set synchronization. This major release also enables users to export the asset database in order to populate an asset management system/register.
If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.
So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.
Types of tools
Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:
a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.
b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.
Pros and cons of automation tools
Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.
However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.
There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.
Can you automate everything?
One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.
Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.
What to watch out for when looking for documentation writing tools
You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).
In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:
Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.
So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.
This is the do-it-yourself solution for ISO27001 implementation
Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.
This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.
This package does not include certification fees which are paid directly to the certification body.
The ISO 27001 do-it-yourself package contains:
The ISO 27001:2013 Standard, which details the requirements against which you will be audited.
The ISO 27002:2013 Standard, which is the code of practice that provides supports for the implementation of information security controls for ISO27001.
The ISO 27000:2014 Standard, which contains the terms and definitions referenced in ISO27001.
IT Governance – An International Guide to Data Security and ISO27001/ISO27002, which details how to design, implement and deliver an Information Security Management System (ISMS) that complies with ISO27001.
Nine Steps to Success – An ISO 27001 Implementation Overview, which outlines the nine critical steps that mean the difference between ISO27001 project success and failure.
The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.
To transition from ISO27001:2005 to ISO27001:2013 you may need a Gap Assessment Tool to prioritize your implementation plan.
ISO27001 2013 ISMS Gap Analysis Tool, which quickly and clearly identify the controls and control areas in which an organization does not conform to the requirements of the standard.
Available for immediate dispatch/download from IT Governance, this tool will further your understanding of ISO27001 and identify where you are and why you are not meeting the requirements of ISO27001.
It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.
It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.
5 reasons why vsRisk is the definitive risk assessment tool:
This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
Gives comprehensive best-practice alignment
It’s easy and straight-forward to use
Cost-effective route to assessing risks within your business
This manual provides clear, unique guidance for both technical and non-technical managers. It details how to design, implement and deliver an ISMS that complies with ISO 27001.
Now in its fifth edition, this title has been fully updated to take account of the latest regulatory and technological developments, and the International Board for IT Governance Qualifications
Cyber security is the protection of systems, networks and data in cyber space.
If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.
To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.
Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.
Tools and techniques which work in mitigating cyber risks
The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management
Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.
The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.
Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks
Now a days, the ISO27001 standard has become an almost unavoidable factor in the field of information security. Compliance is unavoidable because most industries are heavily regulated. Seems like more legislations are on our way to redefine our actions on the internet. Because ISO 27001 requirements are largely a superset of other major standars and regulations, achieving ISO 27001 certification positions most organizations to be well on their way to meeting the requirements of PCI, SOX, HIPAA and GLBA.
1. Business managers of the organizations will make informed decisions regarding potential risk and should be able demonstrate compliance with standards and regulations such as SOX, GLBA, HIPAA, DPA to their critical information on regular basis.
2. An ISMS is a defensive mechanism to any APT (advanced persistent threat) to minimize the impact from these external threats of various cybercrime.
3. Informed information security decisions will be made based on risk assessment to implement technical, management, administrative and operational controls, which is the most cost effective way of reducing risk. Highest priority risks are tackled first to attain best ROI in information security.
4. Information security is not an IT responsibility; In general everybody in an organization is responsible for protecting information assets and more specifically business manager. The business manager may delegate their responsibility.
5. Organization will improve credibility and trust among internal stakeholder and external vendors. The credibility and trust are the key factors to win a business.
6. ISMS raises awareness throughout the business for information security risks, involve all employees throughout an organization and therefore lower the overall risk to the organization.
Related Books, Standards and Tools you may need to achieve ISO 27001 certification
Nine Steps to Success: an ISO 27001 Implementation Overview“It’s like having a $300/hr consultant at your elbow as you consider the aspects of gaining management support, planning, scoping, communication, etc…” Thomas F. Witwicki (amazon.com review)
IT Governance: An International Guide to Data Security and ISO27001/ISO27002
Covers simply everything you need to know about information security and ISO27001. It is also the UK’s Open University’s post-graduate information security textbook. All aspects of data protection / information security are covered including viruses, hackers, online fraud, privacy regulations, computer misuse, investigatory powers etc.
ISO27000 Standards
Official standards available in hardcopy and downloadable formats.
Standalone ISO 27001 ISMS Documentation Toolkit
This toolkit contains all the documents, procedures and templates you need to massively simplify your progress to certification. It will save you months of work, help you avoid costly trial-and-error dead-ends and ensure everything is covered to the current ISO 27001 standard.
First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.
The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.
To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:
1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance
o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods
The project planning process includes steps to estimate the size of the project, estimate the scope of the effort and resources, assess project risks, and produce an acceptable schedule after negotiating with control owner.
Steps below provide a bullet list of project plan outline phases and action items of ISMS (ISO 27001). This is not the project plan, but rather a description of the project plan, so the detail is high level. However, this document defines the project and requires formal sign-off; therefore, be accurate as possible, any variations may require a formal project change, which adds to schedule and cost.
A generic ISO 27001 project outline includes the following:
Project Initiation, Scope of the Project,Risk Assessment Methodology, Asset Register, Risk Assessment, Risk Treatment Plan, Statement of Applicability relevant to risk, Management approval for the Project outline. These steps are outlined in the figure above.
When an individual is assigned as project manager for a project, their success is determined by the complexity of a given project. Due to lack of necessary skills, sometime project manager are changed during the middle of the project. So what are those necessary skills which will determine the success of the project manager? Below are some of the necessary skills to run a successful ISO 27001 project.
• To posse’s an outstanding communication skills for all the stakeholders involved
• Be highly organized and an effective team leader
• Know how to negotiate between cross functional teams
• Resource oriented, problem solver and understand the relevant infrastructure
A credit card, the biggest beneficiary of the Marquette Bank decision (Photo credit: Wikipedia)
Council Issues Guidelines to Address Security Shortcomings
In its just-released guidelines for ongoing risk assessments, the Payment Card Industry Security Standards Council notes three specific areas for improvement.
The guidelines, which are intended for any organization that handles credit or debit card data, offer specific recommendations for risk assessments, such as how to create an internal risk-assessment team and address risk reporting.
But Bob Russo, general manager of the PCI Council, points out that card data is only as secure as the weakest link in the payments chain. Compliance with PCI-DSS is the responsibility of all organizations and businesses that handle card data, he stresses. They must ensure that all links in the payments chain keep card-data protections up-to-date.
“The standard requires an annual risk assessment, because the DSS validation is only a snapshot of your compliance at a particular point in time,” Russo says.
Requirement 12.1.2 of the PCI-DSS states that any organization that processes or handles payment cards must perform a risk assessment at least annually. The PCI Council’s new recommendations include the need for:
A continuous risk assessment process that addresses emerging threats and vulnerabilities;
An approach that uses risk assessments to complement, not replace, ongoing PCI Data Security Standard compliance.
While the PCI Council does not enforce compliance, merchants, processors and others found to be out of PCI compliance after a breach or some other event will likely face steep fines from the card networks.
“Performing a risk assessment at least annually will help you identify the security gaps and address them,” Russo says. “The council received a lot of requests for clarity here. We hope the guidelines help them in their efforts to establish an annual process.”
Organizations that need to comply with PCI-DSS need to create their own risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).
PCI Risk Assessment Special Interest Group says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.
Key recommendations include:
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization
Below is my post on Risk management from prespective of ISO 27001 which has anExpert guidance on planning and implementing a risk assessment and protecting your business information
It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.
It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.
5 reasons why vsRisk is the definitive risk assessment tool:
This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
Gives comprehensive best-practice alignment
It’s easy and straight-forward to use
Cost-effective route to assessing risks within your business
Risk management is a business process and all the business decisions should have a business development life cycle
Risk management is a management responsibility, must be supported by senior management and that concept of Ownership of assets must be established
In Pre screening of critical assets, assets sensitivity must be established based on business, legal and contractual values for confidentiality, integrity and availability. this risk analysis process will determine which critical assets needs to go through the risk assessment process
Organizaions use risk assessment to determine what threats exist to a specific asset and the associated risk
The risk acceptance threshold will provide the organization with the information needed to select effective control measures or safeguards to lower the risks to an acceptable level
Risk is a function of the probability that an identified threat will occur and then the impact that threat will have on the asset
Risk Assessment should include the followings primary steps:
* Critical Asset Sensitivity (impact analysis) level affecting business, contractual and legal imapct
* Threats identified
* Vulnerabilities related to the threats
* Probablity of occurance that the specific threat will exploit the given vulnerability
* Impact of the loss if the specific threat will exploit the given vulnerability
* Risk level identified
* Control recommendations based on risk acceptance
* Results documentation
Enterprise risk management is a complex yet critical issue that all companies must deal with as they head into the twenty-first century. It empowers you to balance risks with rewards as well as people with processes.
But to master the numerous aspects of enterprise risk management- you must first realize that this approach is not only driven by sound theory but also by sound practice. No one knows this better than risk management expert James Lam.
In Enterprise Risk Management: From Incentives to Controls- Lam distills twenty years’ worth of experience in this field to give you a clear understanding of both the art and science of enterprise risk management.
Organized into four comprehensive sections- Enterprise Risk Management offers in-depth insights- practical advice- and real world case studies that explore every aspect of this important field.
Section I: Risk Management in Context lays a solid foundation for understanding the role of enterprise risk management in todays business environment.
Section II: The Enterprise Risk Management Framework offers an executive education on the business rationale for integrating risk management processes.
Section III: Risk Management Applications discusses the applications of risk management in two dimensions – functions and industries.
Section IV: A Look to the Future rounds out this comprehensive discussion of enterprise risk management by examining emerging topics in risk management with respect to people and technology.
Failure to properly manage risk continues to plague corporate America from Enron to Long Term Capital Management. Don’t let it hurt your organization. Pick up Enterprise Risk Management and learn how to meet the enterprise-wide risk management challenge head on and succeed.
Here are the contents of the book.
Authors: James Lam
Publisher: John Wiley
ISBN 10: 0471430005
ISBN 13: 9780471430001
Pages: 336
Format: Hard Cover
Published Date: 24/06/03
“I would highly recommend this book to anyone with a serious interest in understanding risk management from a holistic perspective.”