Oct 20 2022

Why chasing risk assessments will have you chasing your tail

Category: Risk Assessment,Security Risk AssessmentDISC @ 10:07 am

Third-party risk assessments are often described as time-consuming, repetitive, overwhelming, and outdated. Think about it: organizations, on average, have over 5,000 third parties, meaning they may feel the need to conduct over 5,000 risk assessments. In the old school method, that’s 5,000 redundant questionnaires. 5,000 long-winded Excel sheets. No wonder they feel this way.

The reason why risk assessments have become so dreaded is that it has always been a process of individual inspection and evaluation. For perspective, that’s roughly 14 risk assessments completed per day in the span of one year. How can we expect security, risk, and procurement professionals to get any other work done with this type of task on their plate? With the state of today’s threat landscape, wouldn’t you rather your security team be focused on actual analysis and mitigation, rather than just assessing? And, not to mention the fact that a tedious risk assessment process will contribute to burnout that can lead to poor employee retention within your security team. With how the cybersecurity job market is looking now, this isn’t a position any organization wants to be in.

So, now that you know how the people actually with their ‘hands in the pot’ feel about risk assessments, let’s take a look at why this approach is flawed and what organizations can do to build a better risk assessment process.

The never-ending risk assessment carousel ride

The key to defeating cybercriminals is to be vigilant and proactive. Not much can be done when you’re reacting to a security incident as the damage is already done. Unfortunately, the current approach to risk management is reactive, and full of gaps that do not provide an accurate view into overall risk levels. How so? Current processes only measure a point-in-time and do not account for the period while the assessment is being completed–or any breaches that occurred after the assessment was submitted. In other words, assessments will need to be routinely refilled out, a never-ending carousel ride, which is not feasible.

It should come to no surprise that assessments are not updated nearly as much as they should be, and that’s to no one’s fault. No one has the time to continually fill out long, redundant Excel sheets. And, not to mention, unless the data collected is standardized, very little can be done with it from an analysis point of view. As a result, assessments are basically thrown in a drawer and never see the light of day.

Every time a third-party breach occurs there is a groundswell of concern and company executives and board members immediately turn to their security team to order risk assessments, sending them on a wild goose chase. What they don’t realize is that ordering assessments after a third-party breach has occurred is already too late. And the organizations that are chosen for a deeper assessment are most likely not the ones with the highest risk. Like a never-ending carousel ride, the chase for risk assessments will never stop unless you hop off the ride now.

Show me the data!

The secret ingredient for developing a better risk management collection process is standardized data. You can’t make bread without flour, and you can’t have a robust risk management program without standardized data. Standardized data is the process of gathering data in a common format, making it easier to conduct an analysis and determine necessary next steps. Think of it this way, if you were looking at a chart comparing student test grades and they were all listed in various formats (0.75, 68%, 3/16, etc.), you would have a difficult time comparing these data points. However, if all the data is listed in percentages (80%, 67%, 92%, etc.), you could easily identify who is failing and needs more support in the classroom. This is the way using standardized data in the risk assessment process works. All data collected from assessments would be in the same format and you can understand which third parties are high risk and require prioritized mitigation.

CISOs who are still focused on point-in-time assessments are not getting it right. Organizations need to understand that risk assessment collection alone does not in fact equal reduced risk. While risk assessments are important, what you do with the risk assessment after it is complete is what really matters. Use it as a catalyst to create a larger, more contextual risk profile. Integrate threat intelligence, security ratings, machine learning, and other data sources and you’ll find yourself with all the data and insights you need and more to proactively reduce risk. You’ll be armed with the necessary information to mitigate risk and implement controls before the breach occurs, not the rushed patchwork after. A data-driven approach to third-party risk assessment will provide a more robust picture of risk and put an end to chasing assessments once and for all.

risk assessment

Security Risk Assessment

How to do an information security risk assessment for ISO27001

Tags: data breach, Risk Assessment, Third Party Risk

Sep 14 2022

Risk Management document templates

Risk Assessment and Risk Treatment Methodology

The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

There are 3 appendices related to this document. The appendices are not included in the price of this document and can be purchased separately

Risk Assessment Table

The purpose of this table is to list all information resources, vulnerabilities and threats, and assess the level of risk. The table includes catalogues of vulnerabilities and threats.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Treatment Table

The purpose of this table is to determine options for the treatment of risks and appropriate controls for unacceptable risks. This table includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Assessment and Treatment Report

The purpose of this document is to give a detailed overview of the process and documents used during risk assessment and treatment.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Statement of Applicability

The purpose of this document is to define which controls are appropriate to be implemented in the organization, what are the objectives of these controls, how they are implemented, as well as to approve residual risks and formally approve the implementation of the said controls.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Risk Treatment Plan

The purpose of this document is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Toolkit below contains all the documents above

Tags: Risk Assessment, Security Risk Assessment

Feb 04 2022

What Is Information Risk Management? Definition & Explanation

Category: Information Security,Security Risk AssessmentDISC @ 12:54 am

Information risk management is the process of identifying the ways an organisation can be affected by a disruptive incident and how it can limit the damage.

It encompasses any scenario in which the confidentiality, integrity and availability of data is compromised.

As such, it’s not just cyber attacks that you should be worried about. Information risk management also includes threats within your organisation – such as negligent or malicious employees – as well as residual risks.

For example, the framework can help you address misconfigured databases, software vulnerabilities and poor security practices at third parties.

In this blog, we take a closer look at the way information risk management works and how organisations can use its guidance to bolster their security defences.

Why is information risk management important?

In the face of ever-growing cyber threats, it can be difficult for an organisation to protect its information assets.

Last year, the World Economic Forum listed cyber crime alongside COVID-19, climate change and the debt crisis as the biggest threats facing society in the next decade. It’s clear, then, that organisations need a plan for identifying and addressing security risks.

With an information risk management system, organisations gain a better understanding of where their information assets are, how to protect them and how to respond when a breach occurs.

One way it does this is by forcing organisations to not only identify but also assess their risks. This ensures that organisations prioritise scenarios that are most likely to occur or that will cause the most damage, enabling them to make informed decisions in line with their security budget.

How risk management works

To understand how risk management programmes work, we need to take a closer look at what ‘risk’ actually is.

In an information security context, risk can be defined as the combination of a vulnerability and a threat.

As we’ve previous discussed, a vulnerability is a known flaw that can be exploited to compromise sensitive information.

These are often related to software flaws and the ways that criminal hackers can exploit them to perform tasks that they weren’t intended for.

They can also include physical vulnerabilities, such as inherent human weaknesses, such as our susceptibility to phishing scams or the likelihood that we’ll misplace a sensitive file.

This is different from a threat, which is defined as the actions that result in information being compromised.

So, to use the examples above, threats include a criminal hacker exploiting a software flaw or duping an employee with a bogus email.

When a threat meets a vulnerability, you get a risk. In the case of the criminal hacker phishing an employee, the risk is that the attacker will gain access to the employee’s work account and steal sensitive information. This can result in financial losses, loss of privacy, reputational damage and regulatory action.

A risk management system helps organisations identify the ways in which vulnerabilities, threats and risks intertwine. More importantly, it gives organisations the ability to determine which risks must be prioritised and identify which controls are best equipped to mitigate the risk.

Start protecting your business

At the heart of risk management is the risk assessment. This is the process where threats and vulnerabilities are identified. Organisations can use the result of the assessment to plan their next moves.

This process can be labour-intensive, but you can simplify the task with our risk assessment tool vsRisk.

With vsRisk, you’ll receive simple tools that are specifically designed to tackle each part of the risk assessment.

This software package is:

  • Easy to use. The process is as simple as selecting some options and clicking a few buttons.
  • Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
  • Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
  • Streamlined and accurate. Drastically reduces the chance of human error.

Risk Management Training

Tags: information risk management, Risk Assessment, Risk management, risk management training

Oct 25 2017

Conducting an asset-based risk assessment in ISO 27001:2013

Category: ISO 27k,Risk AssessmentDISC @ 11:14 am

Conducting an asset-based risk assessment in ISO 27001:2013 – Vigilant Software

The nature of ISO27001 is that it is heavily focused on risk-based planning. This is to ensure that the identified information risks are appropriately managed according to the threats and the nature of the threats. While asset-based risk assessments are still widely regarded as best practice, and present a robust methodology for conducting risk assessments, it is no longer a requirement under ISO 27001:2013.  ISO 27001:2013 leaves it to the organisation to choose the relevant risk assessment methodology, i.e. ISO 27005, or ISO/IEC 31010.

It is commonly believed that an asset-based information security risk assessment provides a thorough and comprehensive approach to conducting a risk assessment, and this article will look at the steps to follow when conducting this type of risk assessment.

Where do you start when you embark on an asset-based information security risk assessment?

The first step would be to produce an asset register, which can be done through a series of interviews with asset owners. The ‘asset owner’ is an individual or entity that has responsibility for controlling the production, development, maintenance, use and security of an information asset.

Note: In the new standard, ISO 27001:2013, there is a stronger emphasis on the role of the ‘risk owner’, which pushes up the responsibility for the risks to a higher level within the organisation. However, since the approach we are following is an asset-based methodology, the asset owner would be the logical point to start in order to compile an asset register.

Once the asset register has been compiled, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability / weakness of an asset or control can be defined as one that can be exploited by one or more threats.

Risk assessment & impact determination

Once the threats and vulnerabilities have been identified, then an analysis of the risks should be undertaken, to establish the impact level of the risks.  The impact value needs to take into consideration how the Confidentiality, Integrity and Availability of data can be affected by each of the risks.

It should also consider the business, legal, contractual and regulatory implications of risks, including the cost of the replacement of the asset, the potential loss of income, fines and reputational damage.

ISO 27005 presents a structured, systematic and rigorous process of analysing risks, and for creating the risk treatment plan, and includes a list of known threats and vulnerabilities that can be used for establishing the risks your information assets are exposed to.

vsRisk comes with an optional, pre-populated asset library.  Organisational roles are pre-assigned to each asset group, and the corresponding potential threats / risks are pre-applied to each asset. vsRisk also pre-assigns the relevant controls from Annex A to each threat. See sample below. View options to purchase vsRisk now.

Sample risk assessment

vsRisk™ provides key benefits for anyone undertaking an asset-based risk assessment.

By providing a simple framework and process to follow, vsRisk minimises the manual hassle and complexity of carrying out an information security risk assessment, saving the risk assessor time and resources. In addition, once the assessment has been completed, the risk assessments can be repeated easily in a standard format year after year.  The tool generates a set of 6 reports that can be exported and edited,  presented to management and audit teams, and includes pre-populated databases of threats and vulnerabilities as well as 7 different control sets that can be applied to treat the risks.

Tags: Risk Assessment

Apr 21 2017

vsRisk™ risk assessment

Category: ISO 27k,Security Risk AssessmentDISC @ 8:42 am

vsRisk Standalone 3.0 – Brand new vsRisk™ risk assessment software available now

vsRisk is fully aligned with ISO 27001:2013 and helps you conduct an information security risk assessment quickly and easily. The upgrade includes three key changes to functionality: custom acceptance criteria, a risk assessment wizard and control set synchronization. This major release also enables users to export the asset database in order to populate an asset management system/register.

Price: $745.00

Buy now

Tags: Risk Assessment

Nov 09 2014

When to use tools for ISO 27001/ISO 22301 and when to avoid them

Category: ISO 27kDISC @ 8:54 pm

ISO 27001 2013

If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.

So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.

Types of tools

Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:

a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.

b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.

Pros and cons of automation tools

Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.

However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.

There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.

Can you automate everything?

One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.

Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.

What to watch out for when looking for documentation writing tools

You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).

In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:

  • Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
  • Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
  • Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.

So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.

Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .

Tags: Acceptable use policy, Access Control, BCMS, isms, ISO/IEC 27001, ISO22301, Risk Assessment

Aug 22 2014

Do it yourself solution for ISO27001 implementation

Category: ISO 27kDISC @ 3:16 pm


ISO 27001 Do It Yourself Package

This is the do-it-yourself solution for ISO27001 implementation

Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.

This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.


This package does not include certification fees which are paid directly to the certification body.


The ISO 27001 do-it-yourself package contains:

  • The ISO 27001:2013 Standard, which details the requirements against which you will be audited.
  • The ISO 27002:2013 Standard, which is the code of practice that provides supports for the implementation of information security controls for ISO27001.
  • The ISO 27000:2014 Standard, which contains the terms and definitions referenced in ISO27001.
  • IT Governance – An International Guide to Data Security and ISO27001/ISO27002, which details how to design, implement and deliver an Information Security Management System (ISMS) that complies with ISO27001.
  • Nine Steps to Success – An ISO 27001 Implementation Overview, which outlines the nine critical steps that mean the difference between ISO27001 project success and failure.

The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.

Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool

Tags: Corporate governance of information technology, data security, Information Security, Information Security Management System, International Organization for Standardization, isms, ISO/IEC 27001, Risk Assessment

Jun 20 2014

ISO27001 2013 ISMS Gap Analysis Tool

Category: ISO 27kDISC @ 12:09 pm

Gap Assessment Tool

To transition from ISO27001:2005 to ISO27001:2013 you may need a Gap Assessment Tool to prioritize your implementation plan.

ISO27001 2013 ISMS Gap Analysis Tool, which quickly and clearly identify the controls and control areas in which an organization does not conform to the requirements of the standard.

Available for immediate dispatch/download from IT Governance, this tool will further your understanding of ISO27001 and identify where you are and why you are not meeting the requirements of ISO27001.

ISO27001 2013 high level review for making the transition

Tags: Gap assessment tool, Information Security Management System, ISO/IEC 27001, Risk Assessment

Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool


It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>


Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards

May 20 2013

A Guide to Data Security and ISO27001/ISO27002

Category: ISO 27kDISC @ 1:39 pm


IT Governance 5: An International Guide to Data Security and ISO27001/ISO27002

This manual provides clear, unique guidance for both technical and non-technical managers. It details how to design, implement and deliver an ISMS that complies with ISO 27001.

Now in its fifth edition, this title has been fully updated to take account of the latest regulatory and technological developments, and the International Board for IT Governance Qualifications


Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO, ISO/IEC 27001, Risk Assessment

Apr 23 2013

Cyber Security and Risk Assessment

Category: cyber security,Security Risk AssessmentDISC @ 9:19 am

Cyber security is the protection of systems, networks and data in cyber space.

If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.

To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.

Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.

Tools and techniques which work in mitigating cyber risks

The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management

Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.

The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks

Tags: Computer security, cyberwarfare, Information Security, Information Security Management System, Risk Assessment, Risk management

Feb 12 2013

Why ISO 27001 certification should be a priority

Category: ISO 27kDISC @ 10:34 pm

ISO 27001

Why ISO 27001 certification is unavoidable

Now a days, the ISO27001 standard has become an almost unavoidable factor in the field of information security. Compliance is unavoidable because most industries are heavily regulated. Seems like more legislations are on our way to redefine our actions on the internet. Because ISO 27001 requirements are largely a superset of other major standars and regulations, achieving ISO 27001 certification positions most organizations to be well on their way to meeting the requirements of PCI, SOX, HIPAA and GLBA.

Six main benefits of Information Security Management System based on ISO 27001 specifications

1. Business managers of the organizations will make informed decisions regarding potential risk and should be able demonstrate compliance with standards and regulations such as SOX, GLBA, HIPAA, DPA to their critical information on regular basis.

2. An ISMS is a defensive mechanism to any APT (advanced persistent threat) to minimize the impact from these external threats of various cybercrime.

3. Informed information security decisions will be made based on risk assessment to implement technical, management, administrative and operational controls, which is the most cost effective way of reducing risk. Highest priority risks are tackled first to attain best ROI in information security.

4. Information security is not an IT responsibility; In general everybody in an organization is responsible for protecting information assets and more specifically business manager. The business manager may delegate their responsibility.

5. Organization will improve credibility and trust among internal stakeholder and external vendors. The credibility and trust are the key factors to win a business.

6. ISMS raises awareness throughout the business for information security risks, involve all employees throughout an organization and therefore lower the overall risk to the organization.

Related Books, Standards and Tools you may need to achieve ISO 27001 certification

Nine Steps to Success: an ISO 27001 Implementation Overview“It’s like having a $300/hr consultant at your elbow as you consider the aspects of gaining management support, planning, scoping, communication, etc…” Thomas F. Witwicki (amazon.com review)

IT Governance: An International Guide to Data Security and ISO27001/ISO27002
Covers simply everything you need to know about information security and ISO27001. It is also the UK’s Open University’s post-graduate information security textbook. All aspects of data protection / information security are covered including viruses, hackers, online fraud, privacy regulations, computer misuse, investigatory powers etc.

ISO27000 Standards
Official standards available in hardcopy and downloadable formats.

Standalone ISO 27001 ISMS Documentation Toolkit
This toolkit contains all the documents, procedures and templates you need to massively simplify your progress to certification. It will save you months of work, help you avoid costly trial-and-error dead-ends and ensure everything is covered to the current ISO 27001 standard.

Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO/IEC 27001, Risk Assessment

Jan 29 2013

Impact of an Effective Risk Assessment to ISO 27001

Category: Security Risk AssessmentDISC @ 11:08 pm


First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.

The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.

To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:

1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance

Risk Assessment Basic Steps for ISO 27001:

o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods

Risk Assessment Titles from eBay | Risk Assessment Titles from DISC InfoSec Store


Related articles

Tags: Corporate governance of information technology, Information Security Management System, ISO/IEC 27001, Risk Assessment, Risk management

Jan 17 2013

Project Planning outline for (ISO 27001) ISMS

Category: ISO 27kDISC @ 11:55 am

The project planning process includes steps to estimate the size of the project, estimate the scope of the effort and resources, assess project risks, and produce an acceptable schedule after negotiating with control owner.

Steps below provide a bullet list of project plan outline phases and action items of ISMS (ISO 27001). This is not the project plan, but rather a description of the project plan, so the detail is high level. However, this document defines the project and requires formal sign-off; therefore, be accurate as possible, any variations may require a formal project change, which adds to schedule and cost.

A generic ISO 27001 project outline includes the following:
Project Initiation, Scope of the Project,Risk Assessment Methodology, Asset Register, Risk Assessment, Risk Treatment Plan, Statement of Applicability relevant to risk, Management approval for the Project outline. These steps are outlined in the figure above.

When an individual is assigned as project manager for a project, their success is determined by the complexity of a given project. Due to lack of necessary skills, sometime project manager are changed during the middle of the project. So what are those necessary skills which will determine the success of the project manager? Below are some of the necessary skills to run a successful ISO 27001 project.

• To posse’s an outstanding communication skills for all the stakeholders involved
• Be highly organized and an effective team leader
• Know how to negotiate between cross functional teams
• Resource oriented, problem solver and understand the relevant infrastructure

Must Read Project Management Books
1. A guide to the Project Management body of Knowledge 5th edition

2. The Concise Prince2

3. 50 Top IT Project Management Challenges

4. Prince 2 2009 manual

Tags: Information Security Management System, ISO/IEC 27001, Project Management, Project manager, Project plan, Project planning, Risk Assessment, Scope (project management)

Nov 27 2012

PCI Risk Assessment Tips Offered

Category: pci dssDISC @ 11:18 am


A credit card, the biggest beneficiary of the ...

A credit card, the biggest beneficiary of the Marquette Bank decision (Photo credit: Wikipedia)

Council Issues Guidelines to Address Security Shortcomings

In its just-released guidelines for ongoing risk assessments, the Payment Card Industry Security Standards Council notes three specific areas for improvement.

The guidelines, which are intended for any organization that handles credit or debit card data, offer specific recommendations for risk assessments, such as how to create an internal risk-assessment team and address risk reporting.

But Bob Russo, general manager of the PCI Council, points out that card data is only as secure as the weakest link in the payments chain. Compliance with PCI-DSS is the responsibility of all organizations and businesses that handle card data, he stresses. They must ensure that all links in the payments chain keep card-data protections up-to-date.

“The standard requires an annual risk assessment, because the DSS validation is only a snapshot of your compliance at a particular point in time,” Russo says.

Requirement 12.1.2 of the PCI-DSS states that any organization that processes or handles payment cards must perform a risk assessment at least annually. The PCI Council’s new recommendations include the need for:

  • A formalized risk assessment methodology that fits the culture of the organization;
  • A continuous risk assessment process that addresses emerging threats and vulnerabilities;
  • An approach that uses risk assessments to complement, not replace, ongoing PCI Data Security Standard compliance.

While the PCI Council does not enforce compliance, merchants, processors and others found to be out of PCI compliance after a breach or some other event will likely face steep fines from the card networks.

“Performing a risk assessment at least annually will help you identify the security gaps and address them,” Russo says. “The council received a lot of requests for clarity here. We hope the guidelines help them in their efforts to establish an annual process.”

To find out how to identify and address common threats in a risk assessment by Tracy Kitten …

Tags: Payment card, Payment card industry, Payment Card Industry Data Security Standard, PCI Council, pci dss, Risk Assessment

Nov 19 2012

PCI view of Risk Assessment

Category: pci dss,Security Risk AssessmentDISC @ 11:02 pm
Information Security Wordle: PCI DSS v1.2 (try #2)


Organizations that need to comply with PCI-DSS need to create their own risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).

PCI Risk Assessment Special Interest Group says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.

Key recommendations include:
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization

PCI view of things: 

The announcement

And the V1 document (also attached)

Below is my post on Risk management from prespective of ISO 27001 which has an Expert guidance on planning and implementing a risk assessment and protecting your business information

Information Security Risk Management for ISO 27001

Tags: International Organization for Standardization, ISO/IEC 27001, Methodology, Payment card industry, Payment Card Industry Data Security Standard, Risk Assessment, Risk management

Aug 22 2012

5 reasons why vsRisk v1.6 is the definitive risk assessment tool

Category: ISO 27k,Security Risk AssessmentDISC @ 12:36 pm

by Melanie Watson

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.6 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>

Tags: Information Security Management System, iso 27001, Risk Assessment

Mar 20 2012

Risk Management and Business Life Cycle

Category: Security Risk AssessmentDISC @ 1:29 pm

  • Risk management is a business process and all the business decisions should have a business development life cycle
  • Risk management is a management responsibility, must be supported by senior management and that concept of Ownership of assets must be established
  • In Pre screening of critical assets, assets sensitivity must be established based on business, legal and contractual values for confidentiality, integrity and availability. this risk analysis process will determine which critical assets needs to go through the risk assessment process
  • Organizaions use risk assessment to determine what threats exist to a specific asset and the associated risk
  • The risk acceptance threshold will provide the organization with the information needed to select effective control measures or safeguards to lower the risks to an acceptable level
  • Risk is a function of the probability that an identified threat will occur and then the impact that threat will have on the asset
  • Risk Assessment should include the followings primary steps:
    * Critical Asset Sensitivity (impact analysis) level affecting business, contractual and legal imapct
    * Threats identified
    * Vulnerabilities related to the threats
    * Probablity of occurance that the specific threat will exploit the given vulnerability
    * Impact of the loss if the specific threat will exploit the given vulnerability
    * Risk level identified
    * Control recommendations based on risk acceptance
    * Results documentation

    How to Complete a Risk Assessment in 5 Days or Less

    Tags: Risk Assessment, Security Risk Assessment, Tom Peltier

    May 13 2011

    Enterprise Risk Management: From Incentives to Controls

    Category: Security Risk AssessmentDISC @ 12:03 pm

    Enterprise Risk Management: From Incentives to Controls

    Enterprise risk management is a complex yet critical issue that all companies must deal with as they head into the twenty-first century. It empowers you to balance risks with rewards as well as people with processes.

    But to master the numerous aspects of enterprise risk management- you must first realize that this approach is not only driven by sound theory but also by sound practice. No one knows this better than risk management expert James Lam.

    In Enterprise Risk Management: From Incentives to Controls- Lam distills twenty years’ worth of experience in this field to give you a clear understanding of both the art and science of enterprise risk management.

    Organized into four comprehensive sections- Enterprise Risk Management offers in-depth insights- practical advice- and real world case studies that explore every aspect of this important field.

    Section I: Risk Management in Context lays a solid foundation for understanding the role of enterprise risk management in todays business environment.

    Section II: The Enterprise Risk Management Framework offers an executive education on the business rationale for integrating risk management processes.

    Section III: Risk Management Applications discusses the applications of risk management in two dimensions – functions and industries.

    Section IV: A Look to the Future rounds out this comprehensive discussion of enterprise risk management by examining emerging topics in risk management with respect to people and technology.

    Failure to properly manage risk continues to plague corporate America from Enron to Long Term Capital Management. Don’t let it hurt your organization. Pick up Enterprise Risk Management and learn how to meet the enterprise-wide risk management challenge head on and succeed.

    Here are the contents of the book.

    Authors: James Lam
    Publisher: John Wiley
    ISBN 10: 0471430005
    ISBN 13: 9780471430001
    Pages: 336
    Format: Hard Cover
    Published Date: 24/06/03

    “I would highly recommend this book to anyone with a serious interest in understanding risk management from a holistic perspective.”

    Tags: Enterprise Risk Management, Risk Assessment, Security Risk Assessment, security risk assessment process

    May 04 2010

    IT risk assessment frameworks: real-world experience

    Category: Risk AssessmentDISC @ 5:17 pm

    By Bob Violino, CSO

    Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it’s a huge challenge.

    Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:

    Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

    Factor Analysis of Information Risk (FAIR)

    the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF)

    Threat Agent Risk Assessment (TARA), a recent creation

    OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), developed at the CERT Coordination Center at Carnegie Mellon University, is a suite of tools, techniques and methods for risk-based infosec strategic assessment and planning.

    OCTAVE defines assets as including people, hardware, software, information and systems. There are three models, including the original, which CERT says forms the basis for the OCTAVE body of knowledge and is aimed at organizations with 300 or more employees; OCTAVE-S, similar to the original but aimed at companies with limited security and risk-management resources; and OCTAVE-Allegro, a streamlined approach to information security assessment and assurance.

    The framework is founded on the OCTAVE criteria—a standardized approach to a risk-driven and practice-based information security evaluation. These criteria establish the fundamental principles and attributes of risk management.

    Also see How SCAP Brought Sanity to Vulnerability Management

    The OCTAVE methods have several key characteristics. One is that they’re self-directed: Small teams of personnel across business units and IT work together to address the security needs of the organization. Another is that they’re designed to be flexible. Each method can be customized to address an organization’s particular risk environment, security needs and level of skill. A third is that OCTAVE aims to move organizations toward an operational risk-based view of security and addresses technology in a business context.

    Among the strengths of OCTAVE is that it’s thorough and well documented, says Brooke Paul, managing director at Capital Informatics and former CSO at American Financial Group. “The people who put it together are very knowledgeable,” says Paul, who has evaluated the framework for clients. “It’s been around a while and is very well-defined and freely available.”

    Because the methodology is self-directed and easily modified, it can be used as the foundation risk-assessment component or process for other risk methodologies, says Ron Woerner, security systems analyst at HDR, an architectural and engineering firm. Woerner says he’s used a hybrid of OCTAVE, FAIR and other methodologies.

    “The original OCTAVE method uses a small analysis team encompassing members of IT and the business. This promotes collaboration on any found risks and provides business leaders [with] visibility into those risks,” Woerner says. “To be successful, the risk assessment-and-management process must have collaboration.”

    In addition, OCTAVE “looks at all aspects of information security risk from physical, technical and people viewpoints,” Woerner says. “If you take the time to learn the process, it can help you and your organization to better understand its assets, threats, vulnerabilities and risks. You can then make better decisions on how to handle those risks.”

    Experts say one of the drawbacks of OCTAVE is its complexity. “When it shipped, we spent hours trying to understand what it was that this package was going to do for us,” says Adam Rice, global CSO and vice president of managed security services at Tata Communications, a provider of communications services.

    “There was a lot of time taken up just trying to understand what the approach was, because it wasn’t very clear to me,” Rice says. “Anything that takes a lot of time detracts from its use.”

    Paul adds that a downside to OCTAVE is that it doesn’t allow organizations to mathematically model risk. “It’s a qualitative methodology, like most others available today,” he says.

    Next at page 2:FAIR, Page 3:NIST RMF and Page 4: TARA methodology
    1 2 3 4 »

    Information Security Risk Analysis, Tom Peltier

    Tags: FAIR, NIST RMF, OCTAVE, Risk Assessment, TARA

    Next Page »