Speaker 1: What is information security risk? Information security risk is simply a combination of the impact that could result from a threat compromising one of your important information assets and the likelihood of this happening. Risk management in ISO 27001. ISO 27001 requires that you implement a risk management system to help you manage the security of your important information assets. The backbone of this is formed from the need to develop and implement an appropriate and effective information security risk management methodology. ISO 27001 risk management. You should develop and implement a risk management methodology which allows you to identify your important information assets and to determine why they need protecting. It is important to note here that when information security is mentioned people immediately start thinking about confidentiality aspects but the availability and integrity aspects also need to be taken into consideration as these are important components of information security. Once this has been achieved your methodology needs to be able to identify the likelihood of something going wrong and what can be done to mitigate this risk. In a nutshell it enables you to quantify the impact and the likelihood elements of information security risk and then go on to do something about it. ISO 27001 risk management framework. There are several discrete stages of an ISO 27001 risk management methodology. First of all it is important to understand the information security context of your organisation. Once this has been achieved you can perform a risk assessment which includes the need to identify your risks, analyse them and evaluate them. You then need to determine a suitable treatment for the risks you have assessed and then implement that treatment. It is vitally important that you do not see this as a one-off exercise. Your risk management methodology should be designed to be iterative. This enables you to not only review the status of risks you have previously identified taking into consideration any potential changes in context but it also enables you to identify new risks. The high-level stages of a risk management methodology as described above should be thought of as a framework that enables risk management to be embedded within key processes throughout your organisation so that any identified risks are comparable. ISO 27001 risk management context. The first stage of your risk management methodology needs to identify what is important to you or your organisation from an information security point of view. ISO 27001 requires you to determine the context of your organisation, part of which means that you need to be able to identify the information security related issues that you face along with who the internal and external interested parties are and what their needs and expectations are. It is important to also understand what your risk appetite is at this stage as we will need this information later. Once you have done this you are able to determine what is important about the different information assets under your control. ISO 27001 risk management. What is risk appetite? Risk appetite is simply the amount and type of risk you are willing to accept or retain in order to allow business operations to proceed. This is important because too much security can sometimes compromise your operational viability whereas too little will reduce the confidence of your stakeholders. Some types of organisations are willing to accept more risk than others. For example a hedge fund manager is likely to take more risk in order to make greater profits over a short space of time whereas a pension fund manager generally prefers a less risky steady growth approach. ISO 27001 risk assessment methodology. Risk identification. Once you have determined the context you can go ahead and conduct a risk assessment. The first part of a risk assessment is to identify the risks that you face. This can be broken down into three elements. The first element is to identify your information assets. An information asset is any information that has value to you. There are several different ways to calculate the value of an asset but it is important that you not only consider the confidentiality needs of the information but also the integrity and availability requirements. The second element of risk identification is threat analysis. You need to have a process which enables you to identify all of the threats which are applicable to the assets you have identified. If a particular threat is applicable then it is also a good idea to think about how probable it is that the threat will materialise. For example if you use windows-based computer systems which are connected somehow to the internet the probability of them being affected by a virus is probably very high if you do nothing to stop it. Whereas if you are using an Apple Mac which is never connected to the internet the probability is very low. The third element of risk identification is the need to determine if there are any vulnerabilities that would allow a threat that you have identified to cause an impact on your asset. To carry on with the example we have just used if you have an antivirus system installed and running on your internet connected windows computers you are less vulnerable to this particular threat than if you didn't. ISO 27001 risk assessment methodology Risk analysis. One of the useful aspects of the output from an effective risk assessment is the ability to prioritise your risks. This is important as you may not have sufficient resources to fully mitigate every risk that you identify. This means that it is important to somehow quantify your risks. To do this we need to know two things. First how much of an impact would be felt if a compromise occurred and second what is the likelihood of that threat occurring. One good idea is to use a set of scales to record values in these areas. For example using a scale of one to five we could say how impactful it would be if the confidentiality of an asset were breached. Clearly breaches of confidentiality would cause a greater impact for some assets for example HR records than others like the staff canteen menu. A second one to five scale could be used to determine the likelihood of a breach occurring and we would take into consideration the threat and vulnerability information we spoke about earlier in order to do this. ISO 27001 risk assessment methodology. Risk evaluation. Risk evaluation is a relatively simple process as it requires you to identify whether or not the risk that you have identified is above or below appetite. To do this the first thing we need to do is calculate the value of the risk which simply means multiplying the impact and likelihood values together. We have a range of possible values which result from multiplying the two one to five scales together. The appetite is stated within the methodology as a particular value on the five by five matrix. If a particular risk is above this value then it is above appetite which means that it can then be flagged for treatment. Anything below appetite can be accepted and monitored for change. ISO 27001 risk treatment methodology. Your risk management methodology needs to include a methodology for determining the most appropriate treatment for the risks that you have identified. There are four possible treatments to choose from. These are accept, reduce, transfer and avoid. You may come across different terms used for these such as tolerate, treat, transfer and terminate. This example is known as the four Ts however they take the same approach. ISO 27001 risk treatment methodology accept or tolerate. One of the four treatments provides you with the ability to accept risk. We have already seen that this is possible as it is likely that you will simply accept risks that are below appetite. However you can also make an informed decision to accept risks in certain circumstances such as where there is a legal requirement preventing you from taking the desired action or you have insufficient resources to do so. These cases should be few and far between though and should always be approved by appropriate management and regularly reviewed. ISO 27001 risk treatment methodology reduce or treat. The second treatment option is to reduce or treat the risk. This is done through the implementation of controls. ISO 27001 provides you with a list of 114 best practice controls that can be used to mitigate the risks that you have identified. These can be used in combination in order to increase their effectiveness and of course you can also add controls of your own that do not appear in ISO 27001. ISO 27001 risk treatment methodology transfer. The third risk treatment option is to transfer the risk. The transfer option involves the use of third parties to help you mitigate your risks. You could do this for example by offloading some of the financial impact of something going wrong by taking out an insurance policy. Another way of doing this is to outsource the responsibility for implementing and operating technical controls to a third party such as an IT managed service provider. It is important to note here that although responsibility for financial impact or the management of operational controls can be transferred to a third party, the accountability associated with the risk cannot. In other words you will still be held accountable by your stakeholders if something goes wrong. ISO 27001 risk treatment methodology avoid or terminate. The fourth risk treatment option is to simply avoid the risk. As we have discussed before there are three component parts to risk. The impact felt by the organisation following a breach of confidentiality, integrity or availability for an information asset, a threat that could cause this impact and a vulnerability that would allow it to do so. It is possible to avoid risk completely by eliminating one or more of these three elements. However it is unlikely that we would be able to completely remove all threats or all vulnerabilities which leaves us only with one viable option which is to remove the impact. This is done by removing the asset or stopping the processes that are associated with the identified risk. For example to avoid the risks associated with the taking of credit card payments remove that process and only deal in cash. There are obvious issues associated with taking this approach as it is unlikely to be looked upon too favourably by your stakeholders especially if the process is revenue generating. This is the reason why this particular risk treatment methodology is rarely used. ISO 27001 risk treatment methodology controls. The most common option chosen to treat risks other than maybe accept in more mature ISMS's is to reduce the risk. This is done by implementing controls or improving existing ones to address the risk. There are three main operational types of control. Administrative or people-based controls, technical or logical controls and physical or environmental controls. Within these three operational types there are several different tactical uses of controls such as those that are designed to prevent a threat from materialising, those that are designed to deter people from carrying out an undesired action, those that detect if a threat has materialised or those that enable you to recover from a situation after the threat has been dealt with and there are several others. Operational types and tactical uses of controls are not mutually exclusive and can and should be used where possible in combination to provide a greater depth of security. ISO 27001 risk management monitor and review. It is important to ensure that any actions you take to address the risks you have identified are monitored and reviewed to ensure that they have the desired effect. Part of the monitor and review process should also include a review of context before the risk assessment is re-performed. This will allow you to identify and take into consideration any changes that may have happened either internally within your organisation or externally such as changes in legislation or changes to the threat environment. Thus you are able to identify if risks that have previously been identified are getting worse or hopefully better and you will also be able to identify any new risks. ISO 27001 risk assessment frequency. Risk management and therefore risk assessment is an iterative process and each iteration should take into consideration lessons learned from the previous iteration and should take into consideration any internal or external changes thus enabling continual improvement. There is no hard and fast rule on the frequency of risk assessment but URM recommends that the frequency is no less than annual. This does not necessarily mean that you should set aside a certain amount of time at a certain point in the year to conduct a risk assessment although of course you can do this if you wish. It just means that each time 12 months has elapsed you should aim to have completed the next iteration. So you could spread the workload over the 12 month period by performing smaller risk assessments on a subset of areas at more frequent intervals if this is more manageable. ISO 27001 risk management governance. Throughout the risk management process you need to ensure that you communicate effectively with any interested parties. It may be useful to put together a RACI to help you with this as all the way through the process different people will need to be held responsible, some will need to be held accountable, some will need to be consulted in order to identify all of the pertinent information we need to perform an effective risk assessment and some people, for example the management team, will need to be informed through effective reporting of your risk status. ISO 27001 risk management policy and process. As with all key processes associated with an effective ISMS it is a good idea to implement a risk management policy. This enables you to set the risk management and risk assessment criteria, appetite and roles and responsibilities out within a document that everyone is required to implement throughout the business. This should of course be underpinned by the risk management methodology and any required documented processes to enable risk management to be embedded throughout the organisation. So how can URM help? URM can offer a range of information risk management consultancy and training services, most notably our accredited five-day practitioner certificate in information risk management training course. In addition URM has also developed an information risk management module abrisca 27001, specially to meet the risk assessment requirements of ISO 27001. For more information email us or give us a call.