Ha * Ss
Gestion de riesgos
1SO27001 y lo que
podria contener un
registro de riesgos
(Clausula 6.1.2)
chris sal6n
-
isan servis CZ gulendo)
y lider de opine
EI objetivo de este articulo
Este articulo es para darle algunos de mis puntos de viste
sobre 1S027001/gestién de riesgos de la informacién y mis
recomendaciones sobre lo que podria contener un registre
de riesgos. No es la intencién de este articulo brindarle une
metodologia/proceso para realizar evaluaciones de riesgos
8s mi opinién sobre algunos aspectos de esto.
Un poco de historia (Ok, es mi
historia)
‘About 15 years ago | got a job as a risk manager. It was in é
large company and | was risk manager for 3 divisions of the
company - Procurement, Engineering and IT (including
information Security) | learnt some fundamental things
about risk management
# 99% of al people in the world are not interested in
risk management. They don't see any value init
hitps:lwwu linkedin com/pulseliso2700 -isk-management-whatregister-could-contain-chrs-halll 181823, 1755 (70) Gestiin de iasgos1S027001 yl que potria contener un regis de riesgs (Cdusula 6.1.2) [Linkedin
«It is not about the risk register. It is about the
discussion and the decisions. itis all about the people.
You need to engage with the people!
# Keep itll as simple as possible.
On the first point | always thought this was a bit odd given
itis something we all do every day. What is the risk of
getting hurt when | cross the road? What is the likelihoo
What would be the impact? What can | do to manage the
risk of getting hurt? Etc
On the last point | created a risk register approach that was
as simple as | thought it could be to facilitate the
discussions and decision making. It worked well and after ¢
few years as a general risk manager | became an
information Security person and | have carried the
approach forward with me to present day. Yes its true ~
have been using the same register template and approach
pretty much unchanged for nearly 15 years
Fundamental concepts
A few thoughts about risk management in general
Risk management is @ management technique to help your
organisation achieve its objectives and it does this by
focusing on helping you understand some of those bad
things that could happen that might stop you achieving
your objectives. It then helps you decide what you could do
to manage those bad things ~ hopefully stop them
happening! Its a management technique to help you make
decisions and if itis not helping you make decisions then it
is a pointless thing to do. Risk management is a pretty poor
technique for managing risks but itis the least worse
technique we have and lke all management techniques
sometimes it works and sometimes it doesn't. Again, like all
management techniques it takes some skill to get it to work
properly and the more you do it the better you get at doing
it Like all the best management techniques at its core itis
pretty simple.
A bit more history (this time about
1s027001)
One of the significant changes in the 2013 version of
{5027001 was that the requirements for undertaking the
hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-halll 2181823, 1755 (70) Gestiin de iasgos1S027001 yl que potria contener un regis de riesgs (Cdusula 6.1.2) [Linkedin
risk assessment were simplified. For example, in the 2005
version of the standard you had to have an information
asset register and undertake a threat and vulnerability
analysis. These are no longer required although you can do
them if you want to. In practice I see a lot of people stil
doing risk management the "2005" way because it is what
they know,
When I did the 2005 version of 15027001 my risk register
approach was a bit different because of the 2005
requirements. When the 2013 version came out it reverted
back to its slightly simpler version.
What do | think an information risk
register should contain?
This is my recommendation for the ten attributes that
recommend that each risk should have
‘LLRisk ID of some sort. E.g. R003. Just so you can uniquely
identify it
‘2.Risk description What is “the bad thing that coule
happen to lead to the loss of confidentiality, availability or
integrity of information in your scope"? You should try te
be clear about the business impact of this bad thing
happening as well as one or more of the possible causes
Risk owner You must identity a risk owner. This needs to
bbe someone who can take decisions about the risk and is
usually someone fairly senior. Who is going to feel the pair
if this bad thing happens? What is sometimes useful is to
have an additional attribute which is the “Delegated Risk
Manager" who is the person who reports to the risk owner
but can deal with the risk on an ongoing basis. However, it
is still important that the risk owner has some level of
understanding and ownership of the risk. I don’t really
understand why but in my experience it is unusual for
certification auditors to talk to any risk owners to ask about
their understanding of their risks and the decisions they
have made. But they should!
4. Existing Necessary Controls. What is it that you have in
place that is helping to manage the risk today? You do not
have to listall the controls currently managing the risk as
the standard only requires you to list the necessary.
controls. Ty to keep this list to a manageable number. If
hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-halll 381823, 17:55 (70) Gestién de resgos 15027001 y lo que podria cantar un ragisro de esgos (Cléusula 6.1.2) |Linkacln
there are some controls that you think you should have but
are not implemented these should be described in your risk
improvement activities
‘S.Current Likelihood As a single number, how likely is this
to happen in say the next 12 months, People use various
scales but I suggest this is a number from 1 (low) to $
(high). 1 suggest that this likelihood rating is based on your
current understanding of how well the controls are
operating to manage the risk today — ie, how effective they
are today taking into account any currently known
weaknesses in the controls
‘6. Current Impact As a single number, what is the business
impact of the loss of confidentiality availability anc
integrity of the information affected by the risk? This is
usually a single number from 1 (low) to 5 (high). Some
people like to do this as 3 separate numbers/assessments ~
one for each of confidentially, availabilty and integrity but
to keep it simple | recommend just using a single value, The
standard does not require 3 separate assessments. As with
the likelihood this should take into account any knowledge
you have about the current effectiveness and known
current weaknesses of the controls managing the risk.
‘L.Curent Risk Score. There are more complicated ways of
doing this but just multiplying together the values for
likelihood and impact will do, Also called the “Level of risk”.
le. a value from 1 to 25.
B. Current Risk Rating? This represents if ths risk is within
your risk appetite however that is defined ~ yes or no. This
is usually based on the risk score. E., “Any risks with a
score of over 12 are outside the risk appetite’. Feople often
have two breakpoints. One for risks that are well outside
the risk appetite (eg. with a score over 20) and ones that
are above the risk appetite but not quite so much - e.g
above 12 and less than 21. This can usefully be represented
as Red, Amber, Green.
(Optional) Should you be happy with this score? If the
current risk score is within the risk appetite the answer is
yes. Otherwise itis No. This attribute is optional but it can
help with the thinking
2. Improve it? If the risk is within the risk appetite this
should be "improve". Le. we are happy with this risk and
there is nothing more to do. If itis outside the risk appetite
hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-hall 481823, 17:55 (70) Gestién de resgos 15027001 y lo que podria cantar un ragisro de esgos (Cléusula 6.1.2) |Linkacln
this could possibly be "Do not improve" depending on your
risk assessment process and risk acceptance criteria
However, if it is outside the risk appetite this is most likely
to be "Improve" ~ ie. do something about it. You could also
use “Avoid” or "Transfer" for this but in practice these are
not likely to be used much, if at all
10, Risk improvement activities If you have said “Improve
then this is how you are going to improve it which in most
cases will be to implement one or more new controls or
make improvements to existing controls, The idea is that
when these actions have been completed they will have
some effect on the likelinood or impact and hopefully this
will be sufficient to bring the risk within the risk appetite.
1ch action should have an owner and a target date for
completing the action
don't do it but some people have extra columnis) on the
end that represent the “residual risk” in a formal way. This
could be 3 columns - "Residual rsk likelihood”, "Residual
risk impact and "Residual risk score’. Instead of 3 columns
you could just have one that is the "Residual risk score”. The
idea behind this isto represent somehow what you think
the "Current" risk attributes (Current likelihood and impact)
will be after the controls and risk improvement activities
have all be fully implemented. Le. a sort of “Target risk” or
the “tisk that is left". In practice | don’t find it that useful to
do this but I can see why people like it and 1S027001
auditors like it a lot as it makes it easy for them to see that
the risk owners understand what their residual risk will be.
This all needs to be done in the context of, and following
your risk methodology/process
tis possible to have a risk register with fewer attributes per
risk but a risk register that has these attributes meet the
requirements of 15027001 (and the guidance in 1S03100)
I you are using Excel for your risk register these attributes
can be separate columns but you can combine/split some
of them if you prefer.
There are many different interpretations of the risk
management requirements of IS027001 and what some of
the terms mean and how to do this. Also, itis possible to
have lots of other attributes and have a lot more
complexity. Typical extra attributes I have seen are inherent
risk, gross risk, net risk, target risk, information asset,
hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-halll 581823, 1755 (70) Gestiin de iasgos1S027001 yl que potria contener un regis de riesgs (Cdusula 6.1.2) [Linkedin
separate impact ratings for each of CIA, control RAGs,
control %reduction, threat actor, threats and vulnerabilities
assessments, etc. However, in my experience adding these
extra attributes usually adds limited, if any, value comparee
to the cost of including them, What is important is the
discussions about the risk and the decisions taken about
the management of the risks.
Don't forget that itis very important to be reviewing anc
updating your risk register. In my experience this only
works if you meet regularly (eg. quarterly) with each of the
risk owners. This needs to include looking carefully at all the
risks including those that have been accepted since things
might have changed.
Summary
What | have described is a straightforward information risk
register approach that | have used for many years and
works irrespective of the size and nature of the organisatior
and how mature itis. Itis suitable for a very large
multinational that has been doing IS027001 for many years
as well as an organisation with 3 people that has never
done one before. In my opinion it can also be used for
other types of operational risk although some disciplines
(eg. environment) have some very specific requirements
and need more detail. tis less suitable for strategic risks
and programme/project risks.
Over the last 15 years | have successfully implemented this
risk register approach for many organisations and this
includes many 15027001 implementations. They have all
been certified on the first attempt
Oh and don't forget. Its the discussions and de
making that are important, not how detailed or accurate
the risk register is.
n
Keep it simple!
Chris
www.btrp.co.uk
Denuncia este
Publicado por
@ chs Hal A articles
hitpsslwiw linkedin. com/pulseliso2700 isk-management-whatregister-could-contain-chis-halll 28618123, 1755, (70) Gestién de esgos 15027001 y lo que podria contener un registro de resgas (Cléusula 6.1.2) | Linkedin
{15027001 stskmanagementsrihregitrsiskorfle Prisappett Burentisk
ineretisk ik skowner tgrossiskRargetsk
Pecomendar —)eomentar Compartir 28 conetarics,
Reacciones
Qeke Gen.
7 comentarios
Mésreleantes ¥
Ly Afadirun comentario Ou
Lay oc, PE +3e Sree
esng Quality ana Cer Se oie
“i Chis ove all of your ates, thank yu for sharing your time ane
experience with the world! 1am in the process of transining fom SO
270012013 to 2022 believe our program was nt created inthe
‘appropriate way based on reading your articles - we sated with the
SOAs get smarter onthe proces | would Hike to use he tran ver mae
Fecomendar | Responder» | respecte
| ses tarsus 9 meses
Larry ole, PE
Thatis the approach that is given in the new version of IS027005
sich is guidance an information securty rik assessments. The key
hing inthis i vermis
Recomendar 1 | Responder
Mark +
This isa great article Chis, many thanks for sharing
Reamer | Responder
Mostrar més comentarios
Chris Hall
'$027001 Expert and Thought Leade
Y Siguiendo)
Mas de Chris Hall
=a"
‘émo defini objetnos pare Cémo car un Plan de
|s0z700t(lsusula 62, TTatamient de Riesgos
|sozr00t(elsusula 613 e)
(hs Halen Like
‘his Hall en Linked
hitpsflwiw linkedin. com/pulseliso2700 isk-management-what-register-could-contain-chis-halll
718618123, 1755, (70) Gestién de esgos 15027001 y lo que podria contener un registro de resgas (Cléusula 6.1.2) | Linkedin
Qué debe hacer cuando un
tudor de cetfiacior
1502700" quiere plantar.
vis Hall en Linked
hips sw tnkedin.com/pulseliso2700 isk-management-what-register-could-contain-chris-halll
a