INFORMATION

SECURITY RISK
MANAGEMENT

www.pecb.com
//////////////////////////////////////////////////////////////////////////////////////////////////////

At the beginning of this year, we have seen a large number of articles, top security companies, magazines
and bloggers predicting that the number of information security threats will just get worsen, even while
investments are made more and more on information technology to ensure a better business performance.
Top Lists of information security threats were more spread over the month of January than IT developments
or information security best practices used during 2014.

In general, all conclusions about predicted threats come to a point where it is said that securing information
systems from suspicious activity and breaches can be done by developing an enterprise-wide approach
to information security, supported by management. A wide approach of information security would be
included within a risk management system.

Risk management in information security means understanding and responding to factors or possible
events that will harm confidentiality, integrity and availability of an information system.

The very first step that should be included in any risk management approach is to identify all assets that in
any way are related to information. These assets can be different applications or can be servers, networks
routers, switches, back-up disks and systems, laptops, computer desktops, mobile phones, or different
devices which are used to process, transmit and maintain information. Asset can be a document, a research
results, and basically anything that has a value for the company. Sometimes, information security itself is
considered asset.

The second step includes identification of threats toward identified assets. Threat is a potential cause of
an unwanted incident, which may result in harm to a system or organization. Threats can be a theft, virus,
disclosure of important data, floods, infrastructure or software failure, hackers, etc.

As a third step is to identify vulnerabilities. These vulnerabilities can include a wide range of cases: no
data backup, no encryption, weak passwords, no remote wipe, no surge protection, no training, no access
management, no firewalls, no business continuity plans, etc.

2 INFORMATION SECURITY RISK MANAGEMENT

//////////////////////////////////////////////////////////////////////////////////////////////////////

For every identified threat there should be calculated the likelihood that specific threat would exploit specific
vulnerabilities. Likelihood is the chance of something happening. Here it should be included other data
which are used to calculate the percentage or the likelihood then different statistics which would show data
breaches, complains, security incidents, etc. Different companies use simple ranking system such as: high/
medium/low.

For every calculated threats’ likelihood there should also be included the impact or consequence that this
incident can have in organization. This would result in a risk ranking list. From top to bottom, every identified
risk should be included together with the solution’s cost or the planed treatment cost. Then, based on
this result the company could proceed with the risk evaluation. This includes the comparison between
the estimated level of risk against risk evaluation criteria and risk acceptance criteria. This process would
decide which of the threats should be considered.

Sometimes, organizations decide to accept, transfer, avoid or mitigate risk. All this depends on organization’s
strategy and operational needs. Risk treatment comes as planned activities, which should be classified in
order of priority and also during this process it should be allocated the necessary resources to the treatment
plan.

All steps explained above are part of different approaches and methodologies that a company can use for
risk management. These steps sometimes are referred as a risk management life-cycle which in general
terms can be found as a: risk identification, risk analyses, risk evaluation, risk treatment and risk acceptance.
Such structure can be found standardized in ISO 27001 standard, which has already become an information
security management standard for companies of all sizes and in all industries.

ISO 27001 includes requirements for the assessment and treatment of information security risks tailored
to the needs of the organization. This standard aligns with the principles and generic guidelines provided
in ISO 31000. The requirements of ISO 27001 are supported also by ISO 27005, in which standard can be
found the guideline for information security risk management in an organization. Adding here ISO 27000,
which explains the definition of terms that are related to risk management and are found in ISO 27001 and
ISO 27005.

One of the clauses that ISO 27001 has is clause number six which requires defined process to implement
the appropriate measurements/controls in order to eliminate or minimize the impact that various security
related threats and vulnerabilities might have on an organization.

INFORMATION SECURITY RISK MANAGEMENT 3

//////////////////////////////////////////////////////////////////////////////////////////////////////

Moreover, ISO 27002 gives guidelines on how to select controls within the process of information security
standard, how to implement these controls and how to develop new controls taking into consideration the
organization’s information security risk environment can be very useful.

As a conclusion, nowadays the value of information has reached a critical point becoming one of the most
important assets that a company can possess, while collecting, processing, transmitting and storing has
become too complex.

It is up to organizations to decide for a specific approach for information security risk management system
and all this depends in its scope, context of risk management, or industry sector. However, it is very important
to consider the existing methodologies that have already shown good results.

ISO 27002

ISO 27001

ISO 27005 ISO 31000

PECB International is a certification body for persons on a wide range of professional standards. It offers ISO
27001, ISO 27002, ISO 27005, ISO 20000 and ISO 22301 training and certification services for professionals
wanting to support organizations on the implementation of these management systems.

ISO Standards and Professional Trainings offered by PECB:

• Certified Lead Implementer (5 days)
• Certified Lead Auditor (5 days)
• Certified Foundation (2 days)
• ISO Introduction (1 day)

Lead Auditor, Lead Implementer and Master are certification schemes accredited by ANSI ISO/IEC 17024.
Rreze Halili is a Security, Continuity and Recovery (SCR) Product Manager at PECB International. She is in
charge of developing and maintaining training courses related to SCR. If you have any questions, please do
not hesitate to contact: scr@pecb.com.

For further information, please visit www.pecb.com.

4 INFORMATION SECURITY RISK MANAGEMENT