Risk is defined as the possibility that an event will occur, adversely affecting the achievement of an objective. Risks can come from various sources like accidents, natural disasters, deliberate attack from an adversary, event of unpredictable root-cause, project failure (at any phase in design, development, production, or sustaining of lifecycles) and legal liabilities.
Risk management is the process of identifying, assessing and controlling threats to an organisation. It allows companies to attempt to prepare for the unexpected, by minimising risks and extra costs before they happen.
ISO27005 is a framework which provides guidelines for information security risk management. It is designed to assist the implementation of information security based on a risk management approach and supports the general concepts specified in ISO 27001 (Plan, Do, Check, Act). It also implies a continuous process.
As an individual, you may become ISO27005 certified, which shows that you possess the knowledge and competences to appreciate information security risks. It also indicates that you are able to identify, analyse, evaluate and treat the risks your organisation is facing. On top of that, it enables you to understand and prioritise those risks and take appropriate actions to mitigate them.
The framework contents
ISO27005 does not specify or recommend a method. It indicates the need to identify risks, but it does not show how to. You are free to choose the method that best fits your organisation. ISO27005 functions as a guideline in the approach to risk management. It helps to create the needed structure to implement in your organisation and to avoid potential threats, minimize their possible impact and to understand and control risks.
- Development of the information security risk management process suitable for this structure
- Identification and analysis of the stakeholders
- Definition of roles and responsibilities of all parties (both internal and external to the risk management structure)
- Establishment of the required relationships between stakeholders and the risk management structure
- Definition of decision escalation paths
- Specification of records to be kept
- And most importantly, obtain support from the management
It follows a set of activities:
- Establish the risk management context: when defining the scope and boundaries, consider a series of aspects like the internal and external context of the organisation, the organisation’s structure, business processes, stakeholders’ expectations and compliance & legal obligations.
- The risk assessment, which consists of:
- Identification: what could happen that causes a potential loss, gain insight into how, where and why the loss might happen. You should take into account the identification of assets, threats, existing controls, vulnerabilities and consequences that confidentiality, integrity and availability (CIA) may have on assets.
- Analysis: qualitative, quantitative or a combination, it should be consistent with the risk evaluation criteria.
- Evaluation: determine the impact if the risk were to occur, the likelihood and the level of risk. This will then be compared to the risk evaluation criteria.
- The risk treatment: following the level of risk you’re able to accept, you will have to prioritise and treat the risks:
- Modification: apply security controls
- Retention: accept the risk
- Avoidance: withdraw your activity
- Sharing: transfer to another party (e.g.: insurance)
Then assess the effectiveness of the risk treatment and decide if residual risk levels are acceptable or not.
- Risk communication: keep stakeholders and decision-makers informed throughout the process
- Risk Monitor and review: risks are not static. Threats, vulnerabilities, consequences or likelihood may change over time. The goal is to identify any change (new assets, new threats, modification of business requirement, possibly new vulnerabilities, etc.) and maintain an overview of the risk picture. This will ensure the context; the outcome of the risk assessment and treatment remain relevant all the time
There are several existing methods for analysing information security risks, with each its specifications. The list is not exhaustive but to mention a few of them: Mehari, Octave, Ebios 2010, Ebios Risk Manager (Ebios 2018) or CRAMM.