Scribd Logo
Upload

Welcome to Scribd!

  • Risk Management Approach For ISO27001

    Uploaded by

    Canal Hannas
    30 views3 pages
    The document outlines an information security risk management approach with the following key steps: 1. The purpose is to ensure risk and asset owners are aware of security risks and impacts before they occur so informed decisions can be made to mitigate risks. 2. A qualitative risk assessment methodology is used relying on subject matter experts to evaluate likelihood and impacts of security risks given the complex nature of cyber risks. 3. A 5x5 risk matrix is used to assess risks based on likelihood and impact, assigning a risk score to prioritize risks for remediation. 4. The process involves identifying risk scenarios, evaluating their likelihood and impacts, determining risk scores, and deciding whether remediation is needed to reduce risks

    Original Description:

    Original Title

    Risk Management approach for ISO27001

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document outlines an information security risk management approach with the following key steps: 1. The purpose is to ensure risk and asset owners are aware of security risks and impacts before they occur so informed decisions can be made to mitigate risks. 2. A qualitative risk assessment methodology is used relying on subject matter experts to evaluate likelihood and impacts of security risks given the complex nature of cyber risks. 3. A 5x5 risk matrix is used to assess risks based on likelihood and impact, assigning a risk score to prioritize risks for remediation. 4. The process involves identifying risk scenarios, evaluating their likelihood and impacts, determining risk scores, and deciding whether remediation is needed to reduce risks

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    30 views3 pages

    Risk Management Approach For ISO27001

    Uploaded by

    Canal Hannas
    The document outlines an information security risk management approach with the following key steps: 1. The purpose is to ensure risk and asset owners are aware of security risks and impacts before they occur so informed decisions can be made to mitigate risks. 2. A qualitative risk assessment methodology is used relying on subject matter experts to evaluate likelihood and impacts of security risks given the complex nature of cyber risks. 3. A 5x5 risk matrix is used to assess risks based on likelihood and impact, assigning a risk score to prioritize risks for remediation. 4. The process involves identifying risk scenarios, evaluating their likelihood and impacts, determining risk scores, and deciding whether remediation is needed to reduce risks

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 3

    Information Security Risk Management Approach

    The Assessment Approach


    The purpose
    The purpose of a structured information security risk management process is to ensure that risk and
    asset owners are aware of security implications and the possible impact upon the business, before
    they occur. Understanding the possible events that could happen and the impacts (risks) that can
    happen allow for informed and focused decisions on how to appropriately address this. Risk-
    handling/mitigation projects may be planned and executed to reduce the risk to the business to an
    acceptable level.

    Risk assessment methodology


    The risk assessment approach must be repeatable, understandable and an effective tool for the
    business that can generate tangible outcomes and improve understanding. Due to the complex
    nature of InfoSec/cyber risks and the difficulty of allocating tangibles, a qualitative approach is to be
    used. This relies on subject matter experts in InfoSec and the business environment to work together
    to allocate scores based on intimate knowledge of the area. The risk method is focused on an
    events-based approach. The repeatable process that is taken is described in the following section.

    Risk matrix
    In order to allocate risks and understand the criticality, a 5x5 matrix is used with Likelihood of risks
    and the impacts of risks representing the X and Y Axis. The grid score represents the risk criticality.

    Level of Consequence/Impact
    Level of 1 (Insignificant) 2 (Minor) 3 (Moderate) 4 (Major) 5
    Probability (Catastrophic)
    A (Almost Medium High Very High Critical Critical
    Certain)
    B (Probable) Medium Medium High Very High Critical
    C (Possible) Low Medium High High Very High
    D Very Low Low Medium Medium High
    (Improbable)
    E (Rare) Very Low Very Low Low Medium Medium

    The Assessment Process and Explanation


    Criteria: The assessment requires at least one person who is well versed in Information security and
    at least one person who has a deep understanding of the business, its structure, operations and
    value of these. Also, at least one person who understands the technical architecture of the
    enterprise.

    The steps that follow have an example to assist in understanding the process.

    The following are the key steps in conducting this risk assessment approach and recorded in the risk
    register:

    Business Introduction
    At the start of the assessment session, the business leader should describe the business functions,
    operations, types of data and their value. Due to Mazars handling large amounts of client data,

    Group IT Page | 1
    including commercially sensitive information – understanding this is key to ensuring that risk can
    correctly be allocated.

    Scenario Generation
    Once an understanding of the business is achieved, the team works together to consider what
    events could happen that would have an impact on the confidentiality, availability or impact of the
    business systems/data. These events can then be assessed.

    Example: An event example would be “A system admin falls prey to a phishing attack, installing
    Malware onto corporate IT systems.”

    Allocation of Risk Likelihood


    The InfoSec and IT members of the assessment team can then make an assessment as to the
    perceived likelihood of these events happening.

    Example: In the above example of phishing. They will consider the knowledge and phishing
    awareness of staff and any other controls currently in place to mitigate this. Say your IT admin has
    poor security awareness and has fallen for phishing in the past. It could be assessed as “Probable”
    that this event will come to pass again given the prevalence of this attack vector.

    Allocation of Risk Consequence


    All members then consider the consequence of this and allocate a score according to the business
    impact of the event happening.

    Example: In this example, an Admin user would have 100% access to all business data, allowing an
    attacker with access to either exfiltrate data, or encrypt all business systems. As there are few
    controls in place to mitigate this impact, it would be assessed as Catastrophic for the business. This is
    due to data loss having a reputational, regulatory and operational impact on the business.

    Risk Score Calculation


    This is where the risk criticality is allocated using the table.

    Example: A likelihood of “Probable” and an impact of “Catastrophic” on the table would denote a
    Critical risk.

    Assessment on risk acceptance or recommended for remediation


    The business risk holder then decides if this risk is acceptable, or whether remediation actions
    should be taken. These actions need to consider the cost of remediation vs the cost of the business
    impact. In certain instances, the remediation is more costly than impact. Once a decision has been
    made on whether to treat and how, a remediation plan and timeline can be agreed. In the example,
    a Critical risk is unacceptable in this instance as the loss would be huge, yet remediation cost to
    reduce the risk is quite palatable.

    Set Remediation plan


    State the controls which should be put in place to mitigate the risk to an acceptable level.

    Example: Provide security awareness training, add email filtering, segregation of Admin/user
    account and segregate network logically. As ideas of possible remediations. Noting that some of
    these are administrative controls (affecting behavior with policy) and some are technical controls.

    Reassess risk
    Conduct the same assessment but with these controls theoretically in place. Does this reduce the
    risk to a level where the cost, likelihood and risk impact are acceptable?

    Group IT Page | 2
    Example: In this instance, having the email filtering and education in place it would reduce the
    likelihood to possible. Having the Network segregating and the Admin users operating with his/her
    “user account” and only using admin by exception/need would reduce the impact to moderate.
    These actions would reduce the overall risk from “Catastrophic” to “High”.

    Then with the approval of the risk and budget holder, this remediation work can be scheduled and
    conducted. Do further controls need putting in place, or is this risk now acceptable for the business?
    This is a decision for the risk holder taking advice from the teams and subject matter experts.

    This approach should then be repeated for all risks that were generated in the scenario generation
    session.

    Continuous assessment process


    This risk assessment process is an ongoing process. Where risk are identified by staff, or where
    changes to the enterprise are make the risks should be considered and recording using the above
    method.

    Group IT Page | 3

    You might also like