ISO/IEC 27005INFORMATION TECHNOLOGY – SECURITY TECHNIQUES
INFORMATION SECURITY RISK MANAGEMENT
When Recognition Matters
WHITEPAPER
www.pecb.com
CONTENT____
Introduction
ISO/IEC 27000 family of standards
Link with other information security standards and methods
Links with ISO/iec 27001 and ISO 31000
InformationSecurityRiskManagement–TheBusinessBenefits
Implementation of Information Security Risk Management using the PECB Risk Management Framework
Certificationoforganizations
Trainingandcertificationsofprofessionals
3
8
8
8
8
8
10
11
PRINCIPAL AUTHORSEric LACHAPELLE, PECBRrezarta HALILI, PECB
EDITORS:Anders CARLSTEDT, Carstedt Inc. Published on November 20th, 2015
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT2
INTRODUCTION____
InformationSecurityRiskManagement,asproposedbythisstandard,goesbeyondspecificpasswords,firewalls,filtersandencryption.Itscomprehensiveapproach,forthetimebeingpartofagrowingfamilyof ISO/IEC 27000 series of standards in the area of information security management systems, helps businessestakeastructuredapproachofmanaginginformationsecurityrisks.Itisasupportivestandardwhichprovidesguidelines.
However, thisstandarddoesnotgo intodetailsofgivingstrictspecificationsand recommendationsor,naming any specific risk analysis method, although itspecifiesrigorousprocesseswhichshouldtobeundertakenbyorganizationsinordertocreatearisktreatmentplan.
Organizations of any size and type can benefit from thisstandard,byengaginginacomprehensiveandsystematicpreventive,protective,preparatory,andmitigationprocess.Simply drafting a response plan that anticipates and minimizes the consequence of information securityincidents isnotsufficientanymore,butorganizationsalsoneedtotakeadaptiveandproactivemeasurestoreducetheprobabilityofsuchanevent.
Aneffectiveinformationsecurityriskmanagementprocessas recommended by ISO/IEC 27005 is key to a successful ISMS as the ISO/IEC 27000 series are deliberately risk-aligned,whereatfirst,itisimportantfororganizationstoassessrisksbeforecomingwithmanagementand risk treatment plans.
ISO/IEC 27005 is developed on account of helping organizations improve the information security riskmanagement,andminimizetheriskofbusinessdisruption.
Although it does not mention them, as a matter of the employment of risk treatment, the standard allows methodssuchasOCTAVE,EBIOS,MEHARI,andNIST800-30.Nevertheless,whenusingthisstandard,theorganizationwouldstilllearnhowtoimplement,conductandmaintainaformalprocessofriskassessment,risktreatment,riskacceptance,communication,consultation,monitoringandreview.
What is Information Security Risk Management?
Information Security Risk Management is the coordinated activitiestodirectandcontrolanorganizationtoeffectivelyassessand address information security
risksovertime.
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT 3
Key clauses of ISO/IEC 27005:2011
ISO/IEC 27005 is organized into the following main clauses:
Clause 5: BackgroundClause6:OverviewoftheinformationsecurityriskmanagementprocessClause7: Context establishmentClause 8: Information security risk assessmentClause 9: Information security risk treatmentClause 10: Information security risk acceptanceClause 11: Information security risk communication and consultationClause12:Informationsecurityriskmonitoringandreview
CLAUSE 5: BACKGROUND
Theinformationsecurityriskmanagementprocesscanbeappliedtopartofanorganization(i.edepartment,physicallocation,service),ortotheorganizationasawhole,andtoanyinformationsystem.Itisnecessarythattheapproachtoinformationsecurityriskmanagementissystematic,sothatitcanbeeffective.Theapproachshouldalsobealignedwiththeoverallobjectivesoftheorganization.
CLAUSE 6: OVERVIEW OF THE INFORMATION SECURITY RISK MANAGEMENT PROCESS
ISO/IEC 27005:2011 proposes a risk management process which follows 7 stages shown in the table below:
Risk Management Stages
1.Context establishment
2.Riskidentification
3.Risk analysis
4.Riskevaluation
5.Risk treatment
6.Risk acceptance
7.Monitoringandreview
These stages can be repeated in a cyclical process, and throughout this process, there should be proper risk communication and consultation in place.
CLAUSE 7: CONTEXT ESTABLISHMENT
Thisclausegivesguidanceregardingthe informationabouttheorganizationrelevanttothe informationsecurityriskmanagementcontextestablishment.Itdefinesthebasiccriteriawhichneedstobeestablishedfortheriskmanagementapproach,riskevaluation,impact,andriskacceptance.
Basic CriteriaAnappropriateriskmanagementapproachaddressingthebasiccriterianeedstobeselected.Moreover,theorganizationhastoassesstheavailabilityofthenecessaryresourcesto:
• Perform risk assessment and establish a risk treatment plan• Defineandimplementpoliciesandprocedures,includingimplementationofthecontrolsselected• Monitor controls• Monitor the information security risk management process.
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT4
Afterwards,thereareafewissueswhichneedtobeconsideredwhendevelopingtheriskevaluationcriteria,such as:
• Thestrategicvalueofthebusinessinformationprocess• Thecriticalityoftheinformationassetsinvolved• Legalandregulatoryrequirements,andcontractualobligations• Theoperationalandbusinessimportanceofavailability,confidentialityandintegrity• Theexpectationsandperceptionsofstakeholders,andnegativeconsequencesforgoodwillandreputation
Theimpactcriteriashouldalsobedetermined,sothatitshowshowaninformationsecurityeventwouldhaveanimpactoninformationassets,operations,business,financialvalue,plans,deadlines,reputation,andlegal,regulatoryorcontractualrequirements.
Thecriteriaonriskacceptancedependsontheorganization,andmayincludee.g.multiplethresholdswithadesired target levelof risk,under theexceptionsapprovedby topmanagement.Thesecriteriacanbeexpressedasaratioofestimatedprofittotheestimatedrisk.
Scope and boundariesThescopeofinformationsecurityriskmanagementneedstobedefinedbytheorganization.Thisenablestheorganizationtomakesurethatrelevantassetsareconsidered intheriskassessment.Thescopeofinformationsecurityusuallyconsistsoftheorganization’sstrategicbusinessobjectives, functions, legalrequirements,contractualrequirements,informationsecuritypolicy,overallapproachtorisk,geographicallocations, constraints and interference.
Scope and boundariesInformation security risks should to be managed through an organization which needs to develop theinformationsecurityriskmanagementprocesses,theanalysisofstakeholders,todefinetheresponsibilitiesofeach internal and external party, and the decision escalation path, and specify records which need to be kept.
CLAUSE 8: INFORMATION SECURITY RISK ASSESSMENT
Risk assessment determines the value of the information assets, identifies the applicable threats andvulnerabilitiesthatexist(ormayexist),theexistingcontrolsandtheireffectontheriskidentified,determinesthepotentialconsequences,andfinallyprioritizesthederivedrisksandranksthemagainsttheriskevaluationcriteria set in the context establishment.
Thefollowingactivitiesareinvolvedintheriskassessment:
• Riskidentification• Risk analysis• Riskevaluation
Risk identificationThepurposeofriskidentificationistodeterminewhatmayhappentocauseapotentialloss,andtogainaninsightintohow,whereandwhythelossmighthappen.Riskidentificationincludesthefollowingsteps:
• Identificationofassets–includingmorethanjusthardwareandsoftware• Identificationofthreats–probabletobeofnaturalorhumanorigin,andcouldbeaccidentalordeliberate.• Identificationofexistingcontrols–alistofcontrolscanbefoundinISO/IEC27001• Identification of vulnerabilities – probable to exist in the organization, processes and procedures,
managementroutines,personnel,physicalenvironment,informationsystemconfiguration,hardware,softwareorcommunicationsequipment,dependenceonexternalparties
• Identificationofconsequences–possibletobemanifestedasalossofeffectiveness,adverseoperatingconditions, loss of business, reputation, damage, etc.
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT 5
Risk analysisThesub-clauseofriskanalysisisdividedintothreeimportantsections:
• Riskanalysismethodologies–canbedividedintoqualitativeandquantitative.• Assessmentofconsequences–heavilyreliantonassetvaluation.• Assessment of incident likelihood – takes into account how often the threats occur, and how easily the
vulnerabilitiesmaybeexploited.• Levelofriskdetermination–outputsalistofriskswithvalueslevelsassigned.
Risk evaluationTakingintotheconsiderationthenewunderstandingsobtainedfromtheriskanalysis,riskevaluationalsoinvolvesthedecisionswhichneedtobetakenincaseswhenanactivityshouldbetakenornot,orwhataretheprioritiesforrisktreatment,consideringtheestimatedlevelsofrisk.
CLAUSE 9: INFORMATION SECURITY RISK TREATMENT
Accordingtothisclause,riskcanbetreatedthroughriskmodification,riskretention,riskavoidanceandrisksharing,aselectionbasedonriskassessmentoutcomesandacost-benefitanalysis.
RISK ASSESSMENT
RESULTS
RESIDUAL RISKS
RISK TREATMENT OPTIONS
RISK MODIFICATION
RISK RETENTION
RISK AVOIDANCE
RISK SHARING
SATISFACTORY ASSESSMENT
SATISFACTORY TREATMENT
RISK TREATMENT
RISK DECISION POINT 1
RISK DECISION POINT 2
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT6
Risk modification: This is achieved through changing the controls whichmay protect assets throughcorrection, elimination, prevention, impactminimization, deterrence, detection, recovery,monitoringandawareness.Whenchangingthecontrols,itisimportanttomakesurethatthesolutionissufficientforbothperformancerequirementsand informationsecurity.Usually,constraintsareahindrancewhentryingtochangethecontrolstomodifytherisksuchastime,financialandtechnicalconstraints,etc.
Risk retention: Ifaccordingtoriskevaluationtheresultsshowthattheriskisacceptable,itcansimplyberetained with no need to change any controls.
Risk avoidance:Thiscanbeachievedthroughcompletelyavoidinganactivityorriskwhichgivesarisetothe condition. This option is suitable when the costs of treating a risk are too high, or the risk itself is too high.
Risk sharing: This risk treatment option involves other parties such as insurance companies, or sub-contractorswhowouldmonitortheinformationsystemagainstanattack.However,thisdoesnotmeanthattheliabilityisshared,sincetheresponsibilityfortheconsequencesstilllieswiththeorganization.
CLAUSE 10: INFORMATION SECURITY RISK ACCEPTANCE
Followingtherisktreatment,anorganizationneedstomakedecisionsabouttheriskacceptanceoftheresidualriskwhichhasbeenreviewedandapprovedbytheresponsiblemanagers.Asaresult,acceptedrisksarelistedbytheorganizationwithjustificationfortherisksthatdonotmeettheorganization’snormalrisk acceptance criteria.
CLAUSE 11: INFORMATION SECURITY RISK COMMUNICATION AND CONSULTATION
According to this clause, information security risks need to be communicated between the responsible individualsandthestakeholders.Thiscommunicationofinformationsecurityriskshouldprovideassuranceof the outcome of the risk management, share the results of the risk assessment, support decision-making, improve awareness, etc. A risk communication plan should be developed by the organization for both,normal operations and emergency situations. The outcome of all this should be a continual understanding oftheorganization’sinformationsecurityriskmanagementprocessandresults.
CLAUSE 12: INFORMATION SECURITY RISK MONITORING AND REVIEW
Thisclauseprovidesmonitoringandreviewfortheinformationsecurityriskfactoraswellasfortheriskmanagement.
Monitoring and review of risk factors:Sincerisksmaychangeduetochangesinvulnerabilities,likelihoodorconsequences,theorganizationneedsconstantmonitoring.Especially,theorganizationneedstomakesure to monitor the following:
• New assets within the scope of risk management• Modifiedassetvalues• New threats• Newvulnerabilities• Increasedimpactorconsequenceswhichresultinunacceptablelevelofrisk• Information security incidents
Monitoring and review of risk management, and improvement:Ongoingmonitoringandreviewofinformationsecurity riskmanagement are necessary so that the organization canmake sure that the context, theriskassessmentoutcome,risktreatmentandmanagementplansremainrelevantandappropriatetothecircumstances.Further,thenecessaryimprovementsneedtobemadewiththeknowledgeofappropriatemanagers. The issueswhich need to be addressed at this stage are: old criteria verification, legal andenvironmentalcontext,competitioncontext,riskassessmentapproach,assetvaluesandcategories,totalcostofownershipandnecessaryresources.Theresultofthismonitoringandimprovementcouldbethemodificationoradditiontotheapproach,methodology,ortoolsusedintheriskmanagementprocess.
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT 7
ISO/IEC 27000 family of standardsISO/IEC27005isasupportingandinformativestandardtootherstandards,andespeciallythoserelatedtoInformation Security. For a partial list of those standards, examples in the table below:
Part of the Information Security Management System Family of Standards (27000)
27000 Overviewandvocabulary 27007 Auditing guidelines
27001 Requirements 27008 Guidance for auditors on ISMS controls
27002Code of practice
27011Guidelines for telecommunication organizations
27003Implementation guidance 27013
Integrated ISO 27001 with ISO 20000 guidelines
27004 Measurement 27015 Guidelinesforfinancialservices
27005 Information Security Risk Management 27032 Guidelines for
cybersecurity
27006 Auditandcertificationbodiesrequirements 27035 Security incident
management
Link with other information security standards and methodsThere are other widely used standards which are related to ISO/IEC 27005, such as:• ISO 31000• OCTAVE–OperationallyCriticalThreat,Asset,andVulnerabilityEvaluation• EBIOS-ExpressiondesBesoinsetIdentificationdesObjectifsdeSécuritédevelopedbyANSSIinFrance• MEHARImethod–MethodforHarmonizedAnalysisofRisk• NIST 800-30 – National Institute of Standards and Technology • HarmonizedTRAmethod–(TheRightApproach)
Links with ISO/IEC 27001 and ISO 31000ISO/IEC 27005 is closely linked with the parts of ISO/IEC 27001 which deal with risk management. ISO/IEC27005’sgenericframeworkonriskmanagementappliedtoinformationsecurityisactuallyadetailedelaboration of Clauses 4.2.1c to 4.2.1h, and 4.2.3d of ISO/IEC 27001, also closely linked with the generic frameworkontheriskmanagementofISO31000.ISO/IEC27005:2011isalignedtothegenericrequirementsof risk management as presented in ISO 31000.
InformationSecurityRiskManagement-TheBusinessBenefitsAswith allmajor undertakingswithin an organization, it is essential to gain the backing, support andsponsorshipoftheexecutivemanagement.Oftenthebestwaytoachievethis isto illustrateadvantageofhavinganeffective informationsecurity riskmanagementprocess inplace, rather thanhighlight thenegativeaspectsofthecontrary.
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT8
AnorganizationwhichadoptsISO/IEC27005-InformationSecurityRiskManagement-willattainanumberbenefits,includingthefollowing:
• Increasethelikelihoodofachievinginformationsecurityobjectivesandthegeneralobjectivesoftheorganization
• Encourageproactiveinformationsecuritymanagement• Beawareoftheneedtoidentifyandtreatinformationsecurityriskthroughouttheorganization• Improvetheidentificationofopportunitiesandthreatstotheinformationsecurity• Complywithrelevantlegalandregulatoryrequirementsandinternationalnorms• Improvemandatoryandvoluntaryreporting• Improvegovernance• Improvestakeholderconfidenceandtrust• Establish a reliable basis for decision making and planning• Improvecontrols• Effectivelyallocateanduseresourcesforinformationsecurityrisktreatment
Implementation of Information Security Risk Management using the PECB Risk Management FrameworkMaking the decision to implement an information security management system based on ISO/IEC 27005 mostofthetime,isaverysimpleone,asthebenefitsarewelldocumented.Mostcompaniesnowrealizethatitisnotsufficienttoimplementageneric,“onesizefitsall”informationsecurityplan.
AframeworkhasbeendevelopedbyPECBforinformationsecurityriskmanagementasshownbelow:
8. Risk communication and consultation
9. Risk Monitoring and review
RISK MANAGEMENT PROGRAMME
3. Risk Identification
4. Risk Analysis
5. Risk Evaluation
6. Risk treatment
7. risk acceptance
5.1Evaluationof
levelsofriskbasedonriskevaluation
criteria
7.1 Risk treatment plan
acceptance
7.2 Residual risk
acceptance
4.1 Assessment ofconsequences
4.2 Assessment of incident likelihood
4.3Levelofriskdetermination
6.1 Risk treatment options
6.2 Risk treatment plan
6.3Evaluationof residual
risk
3.1Identificationof assets
3.2Identificationof thread
3.3Identificationof existing control
3.4Identificationofvulnerabilities
3.5Identificationofconsequences
2. C
ON
TEXT
EST
ABLI
SHM
ENT
RISK ASSESSMENT
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT 9
CertificationoforganizationsTheusualpathforanorganizationwishingtobecertifiedagainstISO/IEC27001isthefollowing:
1. Implementation of the management system: Before being audited, a management system must be in operationforsometime.Usually,theminimumtimerequiredbythecertificationbodiesis3months.
2. Internal audit and review by top management: Beforeamanagementsystemcanbecertified,itshouldpreviouslyhaveproducedoneinternalauditreportandonemanagementreviewatleast.
3. Selection of the certification body (registrar): Each organization can select the certification body(registrar)ofitschoice.
4. Pre-assessment audit (optional): Anorganizationcanchoosetodoapre-auditforidentifyinganypossiblegapbetweenitscurrentmanagementsystemandtheapplicablestandardrequirements.
5. Stage 1 audit: Aconformityreviewofthedesignofthemanagementsystem.Themainobjectiveistoverifythatthemanagementsystemisdesignedtomeettherequirementsofthestandard(s)andtheobjectivesoftheorganization.ItisrecommendedthatatleastsomeportionoftheStage1auditisperformedon-siteattheorganization’spremises.
6. Stage 2 audit (On-site visit): TheStage2auditobjectiveistoevaluatewhetherthedeclaredmanagementsystemconformstoalltherequirementsofthestandard,hasbeensubjecttoanactualimplementationintheorganization,andcansupporttheorganizationinachievingitsestablishedobjectives.Thisstagetakesplaceatthesite(s)oftheorganization’ssites(s)wherethemanagementsystemisimplemented.
7. Follow-up audit (optional):Iftheauditeehasnon-conformitiesthatrequireadditionalauditbeforebeingcertified,theauditorwillperformafollow-upvisittovalidatetheactionplanslinkedtothenon-conformitiesonly.
8. Confirmation of registration: Iftheorganizationiscompliantwiththerequirementsofthestandard,theRegistrarconfirmstheregistrationandpublishesthecertificate.
9. Continual improvement and surveillance audits: Onceanorganizationisregistered,surveillanceactivitiesareconductedby theCertificationBody toensure that themanagementsystemstill complieswith thestandard.Thesurveillanceactivitiesmustincludeon-sitevisits(atleast1/year)thatallowforverifyingtheconformityofthecertifiedclient’smanagementsystemandcanalsoincludeinvestigationse.g.:followingacomplaint,thereviewofawebsite,orawrittenrequestforfollow-up,etc.
TrainingandcertificationsofprofessionalsPECBhascreatedarecommendedtrainingroadmapandanumberofpersonnelcertificationschemesforimplementersandauditorsofanorganizationwishing togetcertifiedagainst ISO/IEC27001.Whereas,certificationoforganizationsisavitalcomponentintheinformationsecurityfieldasitprovidestheevidencethatorganizationsdevelopedstandardizedprocessesbasedonbestpractices;certificationofindividualsalsoservesasdocumentedevidenceofprofessionalcompetenciesandexperiencefor/ofthoseindividualsthathavepreviouslyattendedoneoftherelatedcoursesandexams.
It serves to demonstrate that the certified professional holds defined competencies based on bestpractices.Italsoallowsorganizationstomakeaninformedselectionofemployeesorservicesbasedonthecompetenciesrepresentedbythecertificationdesignation.Finally,itprovidesincentivestotheprofessionaltoconstantlyimprovehis/herskillsandknowledgeandservesasatoolforemployerstoensurethatthetrainingandawarenesshavebeeneffective.
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT10
PECBtrainingcoursesareofferedgloballythroughanetworkofauthorizedtrainingprovidersandtheyareavailableinseveral languagesandincludedifferent levelssuchasintroduction,foundation, implementerand auditor courses. The table below gives a short description on PECB’s official training courses forInformation Security Risk Management based on ISO/IEC 27005.
Training title Who should attend
• Introduction to ISO/IEC 27005• ISO/IEC 27005 Risk Manager• ISO/IEC 27005/31000 Risk Manager with
OCTAVE• ISO/IEC 27005/31000 Risk Manager EBIOS• ISO/IEC 27005/31000 Risk Manager with
MEHARI• ISO/IEC 27005/31000 Risk Manager with
introduction to methodologies
• Risk managers• Persons responsible for information security
orconformitywithinanorganization• Members of the information security team• IT consultants• IT professionals wishing to obtain a
comprehensiveunderstandingofriskman-agementwithinanorganization
• Staff implementing or seeking to comply with ISO/IEC27001orinvolvedinarisk management program, also including those based on OCTAVE, EBIOS, and MEHARI.
Althoughaspecifiedsetofcoursesorcurriculumofstudyisnotrequiredaspartofthecertificationprocess,thecompletionofarecognizedPECBcourseorprogramofstudywillsignificantlyenhanceyourchanceofpassingaPECBcertificationexamination.YoucanverifythelistofapprovedorganizationthatoffersPECBofficialtrainingsessionsonourwebsiteatwww.pecb.com
CHOOSING THE RIGHT CERTIFCATIONThe “Certified ISO/IEC 27005 LeadRiskManager” credential is a professional certification for professionalsneeding to demonstrate the competence to implement, maintain and manage an ongoing information security riskmanagementprogramaccordingtoISO/IEC27005,whiletheProvisionalRiskManagerisgrantedtothosewhodonothavesufficientprofessionalexperience,buthavefinishedthetrainingandpassedtheexam.
Basedonyouroverallprofessionalexperienceandacquiredqualifications,youwillgetgrantedoneofthesecertifications.
Certification Exam Professionalexperience
Risk assessment experience
Other require-ments
Certified ISO/IEC 27005 Provisional Risk Manager
CertifiedISO/IEC 27005 Risk Manager Exam
None None Signing the PECB code of ethics
Certified ISO/IEC 27005 Risk Manager
CertifiedISO/IEC 27005 Risk Manager Exam
Two yearsOne year of risk management related work experience
Risk management activitiestotaling200 hours
Signing the PECB code of ethics
ISO/IEC 27005 // INFORMATION TECHNOLOGY – SECURITY TECHNIQUES – INFORMATION SECURITY RISK MANAGEMENT 11
www.pecb.com
+1-844-426-7322
CustomerService