Ha * Ss Gestion de riesgos 1SO27001 y lo que podria contener un registro de riesgos (Clausula 6.1.2) chris sal6n - isan servis CZ gulendo) y lider de opine EI objetivo de este articulo Este articulo es para darle algunos de mis puntos de viste sobre 1S027001/gestién de riesgos de la informacién y mis recomendaciones sobre lo que podria contener un registre de riesgos. No es la intencién de este articulo brindarle une metodologia/proceso para realizar evaluaciones de riesgos 8s mi opinién sobre algunos aspectos de esto. Un poco de historia (Ok, es mi historia) ‘About 15 years ago | got a job as a risk manager. It was in é large company and | was risk manager for 3 divisions of the company - Procurement, Engineering and IT (including information Security) | learnt some fundamental things about risk management # 99% of al people in the world are not interested in risk management. They don't see any value init hitps:lwwu linkedin com/pulseliso2700 -isk-management-whatregister-could-contain-chrs-halll 181823, 1755 (70) Gestiin de iasgos1S027001 yl que potria contener un regis de riesgs (Cdusula 6.1.2) [Linkedin «It is not about the risk register. It is about the discussion and the decisions. itis all about the people. You need to engage with the people! # Keep itll as simple as possible. On the first point | always thought this was a bit odd given itis something we all do every day. What is the risk of getting hurt when | cross the road? What is the likelihoo What would be the impact? What can | do to manage the risk of getting hurt? Etc On the last point | created a risk register approach that was as simple as | thought it could be to facilitate the discussions and decision making. It worked well and after ¢ few years as a general risk manager | became an information Security person and | have carried the approach forward with me to present day. Yes its true ~ have been using the same register template and approach pretty much unchanged for nearly 15 years Fundamental concepts A few thoughts about risk management in general Risk management is @ management technique to help your organisation achieve its objectives and it does this by focusing on helping you understand some of those bad things that could happen that might stop you achieving your objectives. It then helps you decide what you could do to manage those bad things ~ hopefully stop them happening! Its a management technique to help you make decisions and if itis not helping you make decisions then it is a pointless thing to do. Risk management is a pretty poor technique for managing risks but itis the least worse technique we have and lke all management techniques sometimes it works and sometimes it doesn't. Again, like all management techniques it takes some skill to get it to work properly and the more you do it the better you get at doing it Like all the best management techniques at its core itis pretty simple. A bit more history (this time about 1s027001) One of the significant changes in the 2013 version of {5027001 was that the requirements for undertaking the hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-halll 2181823, 1755 (70) Gestiin de iasgos1S027001 yl que potria contener un regis de riesgs (Cdusula 6.1.2) [Linkedin risk assessment were simplified. For example, in the 2005 version of the standard you had to have an information asset register and undertake a threat and vulnerability analysis. These are no longer required although you can do them if you want to. In practice I see a lot of people stil doing risk management the "2005" way because it is what they know, When I did the 2005 version of 15027001 my risk register approach was a bit different because of the 2005 requirements. When the 2013 version came out it reverted back to its slightly simpler version. What do | think an information risk register should contain? This is my recommendation for the ten attributes that recommend that each risk should have ‘LLRisk ID of some sort. E.g. R003. Just so you can uniquely identify it ‘2.Risk description What is “the bad thing that coule happen to lead to the loss of confidentiality, availability or integrity of information in your scope"? You should try te be clear about the business impact of this bad thing happening as well as one or more of the possible causes Risk owner You must identity a risk owner. This needs to bbe someone who can take decisions about the risk and is usually someone fairly senior. Who is going to feel the pair if this bad thing happens? What is sometimes useful is to have an additional attribute which is the “Delegated Risk Manager" who is the person who reports to the risk owner but can deal with the risk on an ongoing basis. However, it is still important that the risk owner has some level of understanding and ownership of the risk. I don’t really understand why but in my experience it is unusual for certification auditors to talk to any risk owners to ask about their understanding of their risks and the decisions they have made. But they should! 4. Existing Necessary Controls. What is it that you have in place that is helping to manage the risk today? You do not have to listall the controls currently managing the risk as the standard only requires you to list the necessary. controls. Ty to keep this list to a manageable number. If hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-halll 381823, 17:55 (70) Gestién de resgos 15027001 y lo que podria cantar un ragisro de esgos (Cléusula 6.1.2) |Linkacln there are some controls that you think you should have but are not implemented these should be described in your risk improvement activities ‘S.Current Likelihood As a single number, how likely is this to happen in say the next 12 months, People use various scales but I suggest this is a number from 1 (low) to $ (high). 1 suggest that this likelihood rating is based on your current understanding of how well the controls are operating to manage the risk today — ie, how effective they are today taking into account any currently known weaknesses in the controls ‘6. Current Impact As a single number, what is the business impact of the loss of confidentiality availability anc integrity of the information affected by the risk? This is usually a single number from 1 (low) to 5 (high). Some people like to do this as 3 separate numbers/assessments ~ one for each of confidentially, availabilty and integrity but to keep it simple | recommend just using a single value, The standard does not require 3 separate assessments. As with the likelihood this should take into account any knowledge you have about the current effectiveness and known current weaknesses of the controls managing the risk. ‘L.Curent Risk Score. There are more complicated ways of doing this but just multiplying together the values for likelihood and impact will do, Also called the “Level of risk”. le. a value from 1 to 25. B. Current Risk Rating? This represents if ths risk is within your risk appetite however that is defined ~ yes or no. This is usually based on the risk score. E., “Any risks with a score of over 12 are outside the risk appetite’. Feople often have two breakpoints. One for risks that are well outside the risk appetite (eg. with a score over 20) and ones that are above the risk appetite but not quite so much - e.g above 12 and less than 21. This can usefully be represented as Red, Amber, Green. (Optional) Should you be happy with this score? If the current risk score is within the risk appetite the answer is yes. Otherwise itis No. This attribute is optional but it can help with the thinking 2. Improve it? If the risk is within the risk appetite this should be "improve". Le. we are happy with this risk and there is nothing more to do. If itis outside the risk appetite hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-hall 481823, 17:55 (70) Gestién de resgos 15027001 y lo que podria cantar un ragisro de esgos (Cléusula 6.1.2) |Linkacln this could possibly be "Do not improve" depending on your risk assessment process and risk acceptance criteria However, if it is outside the risk appetite this is most likely to be "Improve" ~ ie. do something about it. You could also use “Avoid” or "Transfer" for this but in practice these are not likely to be used much, if at all 10, Risk improvement activities If you have said “Improve then this is how you are going to improve it which in most cases will be to implement one or more new controls or make improvements to existing controls, The idea is that when these actions have been completed they will have some effect on the likelinood or impact and hopefully this will be sufficient to bring the risk within the risk appetite. 1ch action should have an owner and a target date for completing the action don't do it but some people have extra columnis) on the end that represent the “residual risk” in a formal way. This could be 3 columns - "Residual rsk likelihood”, "Residual risk impact and "Residual risk score’. Instead of 3 columns you could just have one that is the "Residual risk score”. The idea behind this isto represent somehow what you think the "Current" risk attributes (Current likelihood and impact) will be after the controls and risk improvement activities have all be fully implemented. Le. a sort of “Target risk” or the “tisk that is left". In practice | don’t find it that useful to do this but I can see why people like it and 1S027001 auditors like it a lot as it makes it easy for them to see that the risk owners understand what their residual risk will be. This all needs to be done in the context of, and following your risk methodology/process tis possible to have a risk register with fewer attributes per risk but a risk register that has these attributes meet the requirements of 15027001 (and the guidance in 1S03100) I you are using Excel for your risk register these attributes can be separate columns but you can combine/split some of them if you prefer. There are many different interpretations of the risk management requirements of IS027001 and what some of the terms mean and how to do this. Also, itis possible to have lots of other attributes and have a lot more complexity. Typical extra attributes I have seen are inherent risk, gross risk, net risk, target risk, information asset, hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-halll 581823, 1755 (70) Gestiin de iasgos1S027001 yl que potria contener un regis de riesgs (Cdusula 6.1.2) [Linkedin separate impact ratings for each of CIA, control RAGs, control %reduction, threat actor, threats and vulnerabilities assessments, etc. However, in my experience adding these extra attributes usually adds limited, if any, value comparee to the cost of including them, What is important is the discussions about the risk and the decisions taken about the management of the risks. Don't forget that itis very important to be reviewing anc updating your risk register. In my experience this only works if you meet regularly (eg. quarterly) with each of the risk owners. This needs to include looking carefully at all the risks including those that have been accepted since things might have changed. Summary What | have described is a straightforward information risk register approach that | have used for many years and works irrespective of the size and nature of the organisatior and how mature itis. Itis suitable for a very large multinational that has been doing IS027001 for many years as well as an organisation with 3 people that has never done one before. In my opinion it can also be used for other types of operational risk although some disciplines (eg. environment) have some very specific requirements and need more detail. tis less suitable for strategic risks and programme/project risks. Over the last 15 years | have successfully implemented this risk register approach for many organisations and this includes many 15027001 implementations. They have all been certified on the first attempt Oh and don't forget. Its the discussions and de making that are important, not how detailed or accurate the risk register is. n Keep it simple! Chris www.btrp.co.uk Denuncia este Publicado por @ chs Hal A articles hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-halll 28618123, 1755, (70) Gestién de esgos 15027001 y lo que podria contener un registro de resgas (Cléusula 6.1.2) | Linkedin {15027001 stskmanagementsrihregitrsiskorfle Prisappett Burentisk ineretisk ik skowner tgrossiskRargetsk Pecomendar —)eomentar Compartir 28 conetarics, Reacciones Qeke Gen. 7 comentarios Mésreleantes ¥ Ly Afadirun comentario Ou Lay oc, PE +3e Sree esng Quality ana Cer Se oie “i Chis ove all of your ates, thank yu for sharing your time ane experience with the world! 1am in the process of transining fom SO 270012013 to 2022 believe our program was nt created inthe ‘appropriate way based on reading your articles - we sated with the SOAs get smarter onthe proces | would Hike to use he tran ver mae Fecomendar | Responder» | respecte | ses tarsus 9 meses Larry ole, PE Thatis the approach that is given in the new version of IS027005 sich is guidance an information securty rik assessments. The key hing inthis i vermis Recomendar 1 | Responder Mark + This isa great article Chis, many thanks for sharing Reamer | Responder Mostrar més comentarios Chris Hall '$027001 Expert and Thought Leade Y Siguiendo) Mas de Chris Hall =a" ‘émo defini objetnos pare Cémo car un Plan de |s0z700t(lsusula 62, TTatamient de Riesgos |sozr00t(elsusula 613 e) (hs Halen Like ‘his Hall en Linked hitpsflwiw linkedin. com/pulseliso2700 isk-management-what-register-could-contain-chis-halll 718618123, 1755, (70) Gestién de esgos 15027001 y lo que podria contener un registro de resgas (Cléusula 6.1.2) | Linkedin Qué debe hacer cuando un tudor de cetfiacior 1502700" quiere plantar. vis Hall en Linked hips sw tnkedin.com/pulseliso2700 isk-management-what-register-could-contain-chris-halll a