SlideShare une entreprise Scribd logo

ISO 27005 - Digital Trust Framework

Télécharger en tant que PPTX, PDF
Maganathin Veeraragaloo
Maganathin Veeraragaloo

ISO 27005 integrated with FAIR which feeds into the Digital Trust Framework

Technologie
1  sur  62
DIGITAL TRUST FRAMEWORK (DTF) Maganathin Veeraragaloo 7th December 2021
The TMForum's Open Digital Architecture (ODA)will be used as the cornerstone for this Framework https://www.tmforum.org/oda/ ODA was initially designed for the Telecommunications Industry inclusive of 5G Services. The Digital Trust Framework is developed for the 4IR Environment The Digital Trust Framework (DTF) will be a blueprint for modular, cloud-based, open digital platforms that can be orchestrated using AI ODA will be integrated with COBIT 2019, ITIL 4 and ISO 27005 RISK MANAGER – this is to ensure an overall Digital Trust approach for a continuous evolving SYSTEMS Environment
Transformation Tools As-Is Applications Transformation Toolkits Maturity Tools Metrics Maturity Models Data Benchmark Data AI Training Data DIGITAL TRUST FRAMEWORK DIGITAL TRUST ARCHITECTURE Governance Concepts & Principles Design Guides Microservices Architecture Governance AI Governance Data Governance Security Governance Agile Lifecycle Management Business Deployment & Run Information Systems Implementation Business Capability Repository Process Framework Information Framework Integration Framework Functional Framework & Architecture Canvas Operation Frameworks Reference Implementation Technical Architecture Components Open API’s Data Model
ITIL 4 Capability Framework DIGITAL TRUST FRAMEWORK Governance & Processes Cybersecurity Mesh Architecture
ISO 27005 OVERVIEW
SOURCE: https://theriskacademy.org/is0-31000-iso-27005/
The first of these is ISO 31000. Because of its general context, it provides overall guidelines to any area of risk management (i.e., finance, engineering, security, among others). Although most organizations already have a defined methodology in place to manage risks, this new standard defines a set of principles that must be followed in order to ensure the effectiveness of risk management. It suggests that companies should continually develop, implement, and improve a framework whose goal is to integrate the process for managing risks associated with governance, strategy, and planning, as well as management, the reporting of data and results, policies, values and culture throughout the entire organization. https://theriskacademy.org/is0-31000-iso-27005/
Risk Management Best Practices for ISO 31000 Although ISO 31000 depicts the management process more thoroughly, and has differing terms and expressions, both standards address the risk management process in a similar fashion. According to ISO 31000, organizations typically determine the context and manage risk by identifying it, analysing it, and subsequently assessing whether the risk should be modified by a strategic approach so as to comply with its risk criteria. Throughout this entire process, these organizations must communicate and consult with stakeholders, while critically monitoring and analysing the risk and controls that modify it, so as to ensure that no additional risk management approach will be required. https://theriskacademy.org/is0-31000-iso-27005/
The other is ISO 27005. Part of the ISO 27000 since 2008, this standard establishes risk management best practices specifically geared towards risk management for information security, particularly with regards to complying with the requirements of an Information Security Management System (ISMS), as mandated by ISO/IEC 27001. It establishes that risk management best practices should be defined in accordance with the characteristics of the organization, taking into account the scope of its ISMS, the risk management context, as well as its industry. According to the framework described in this standard for implementing the requirements of ISMS, several different methodologies may be used and different approaches to risk management as it relates to information security may are introduced in the appendix of the document. https://theriskacademy.org/is0-31000-iso-27005/
Risk Management Best Practices for ISO 27005 As for ISO 27005, risk management as it relates to information security should define the context, evaluate the risks, and address them through a plan, in order to implement the recommendations and decisions. Risk management analyses the potential events and its consequences prior to deciding what to do and when to do it, so as to reduce risks to an acceptable level. Additionally, the standard includes decisions on the analysis and treatment of risks, since risk acceptance activities will ensure that residual risks be explicitly accepted by company management. This is particularly important in situations where control implementation is either omitted or postponed, for example, because of cost. https://theriskacademy.org/is0-31000-iso-27005/
SO 27005 is the international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001. Risk assessments are one of the most important parts of an organisation’s ISO 27001 compliance project. ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied. ISO 27005 is applicable to all organisations, regardless of size or sector. It supports the general concepts specified in ISO 27001, and is designed to assist the satisfactory implementation of information security based on a risk management approach. https://theriskacademy.org/is0-31000-iso-27005/
Information security risk management is integral to information security management. It defines the process of analysing what could happen and what the consequences might be, and helps organisations determine what should be done and when to reduce risk to an acceptable level. Information security risk management should be a continual process that contributes to: Identifying and assessing risk; Understanding risk likelihood and the consequences for the business; Establishing a priority order for risk treatment; Stakeholder involvement in risk management decisions; The effectiveness of risk treatment monitoring; and Staff awareness of risks and the actions being taken to mitigate them. Organisations should adopt a systematic approach to information security risk to accurately determine their information security needs. https://theriskacademy.org/is0-31000-iso-27005/
Although ISO 27005 does not specify any specific risk management methodology, it does imply a continual information risk management process based on six key components: 1. Context establishment 2. Risk assessment 3. Risk treatment 4. Risk acceptance 5. Risk acceptance 6. Risk monitoring and review https://theriskacademy.org/is0-31000-iso-27005/
1. Context Establishment: The risk management context sets the criteria for how risks are identified, who is responsible for risk ownership, how risks impact the confidentiality, integrity and availability of the information, and how risk impact and likelihood are calculated. 2. Risk Assessment: Many organisations choose to follow an asset-based risk assessment process comprising five key stages: i. Compiling information assets. ii. Identifying the threats and vulnerabilities applicable to each asset. iii. Assigning impact and likelihood values based on risk criteria. iv. Evaluating each risk against predetermined levels of acceptability. v. Prioritising which risks need to be addressed, and in which order. https://theriskacademy.org/is0-31000-iso-27005/
3. Risk Treatment: There are four ways to treat a risk: i. Avoid’ the risk by eliminating it entirely. ii. ‘Modify’ the risk by applying security controls. iii. ‘Share’ the risk with a third party (through insurance or outsourcing). iv. ‘Retain’ the risk (if the risk falls within established risk acceptance criteria). 4. Risk Acceptance: Organisations should determine their own criteria for risk acceptance that consider existing policies, goals, objectives and shareholder interests. https://theriskacademy.org/is0-31000-iso-27005/
5. Risk Communication and Consultation: Effective communication is pivotal to the information security risk management process. It ensures that those responsible for implementing risk management understand the basis on which decisions are made, and why certain actions are required. Sharing and exchanging information about risk also facilitates agreement between decision makers and other stakeholders on how to manage risk. Risk communication activity should be performed continually, and organisations should develop risk communication plans for normal operations as well as emergency situations. 6. Risk Monitoring and Review: Risks are not static and can change abruptly. Therefore, they should be continually monitored in order to quickly identify changes and maintain a complete overview of the risk picture. Organisations should also keep a close eye on:  Any new assets included within the risk management scope;  Asset values that require modification in response to changing business requirements;  New threats, whether external or internal, that have yet to be assessed; and  Information security incidents. https://theriskacademy.org/is0-31000-iso-27005/
Unlike other popular risk management standards that adopt a one-size-fits-all approach, ISO 27005 is flexible in nature and allows organisations to select their own approach to risk assessment based on their specific business objectives. ISO 27005 follows a simple, repeatable structure with each of the main clauses organised into the following four sections:  Input: the information necessary to perform an action.  Action: the activity itself.  Implementation guidance: any additional detail.  Output: the information that should have been generated by the activity. This consistent approach helps to ensure that organisations have all the information required before beginning any risk management activity. ISO 27005 also supports ISO 27001 compliance, as the latter standard specifies that any controls implemented within the context of an ISMS (information security management system) should be risk based. Implementing an ISO 27005-compliant information security risk management process can satisfy this requirement. https://theriskacademy.org/is0-31000-iso-27005/
SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
ISO/IEC 27001 describes a general process for the ISMS, and in that context ISO/IEC 27005 defines the approach to managing risk. FAIR provides a methodology for analysing risk. This section describes how the FAIR methodology can be used to analyse risk in the context of ISO/IEC 27005 and the ISMS. ISO/IEC 27005 and ISO/IEC 27001 provides the foundation for the risk management portion of the ISMS:  Define the risk assessment approach of the organization  Identify the risks  Analyse and evaluate the risks  Identify and evaluate options for the treatment of risks  Select control objectives and controls for the treatment of risks Obtain management approval of the proposed residual risks This generally outlines the process for managing risk at a very high level. ISO/IEC 27005 specifies in more detail the management of risk without providing specifics or identifying a methodology for determining risk level. FAIR provides a methodology to achieve the steps shown above, specifically ―identify the risks‖ and ―analyse and evaluate the risks. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
SORCE: https://www.risklens.com/hubfs/uploads/2019/02/FAIR-Model-on-One-Page-May-2017-1.pdf
 7.0 Context Establishment  7.1 General Considerations  7.2 Basic Criteria  7.3 Scope and Boundaries  7.4 Organization of Information Security Risk Management  8.0 Information Security Risk Assessment  8.1 General Description of Information Security Risk Assessment  8.2 Risk Analysis  8.2.1 Risk Identification  8.2.1.1 Introduction to risk identification  8.2.1.2 Identification of assets  8.2.1.3 Identification of threats  8.2.1.4 Identification of existing controls  8.2.1.5 Identification of vulnerabilities  8.2.1.6 Identification of consequences  8.2.2 Risk estimation  8.2.2.1 Risk estimation methodologies  8.2.2.2 Assessment of consequences  8.2.2.3 Assessment of incident likelihood  8.2.2.4 Level of risk estimation  8.3 Risk Evaluation  9.0 Information Security Risk Treatment  9.1 General Description of Risk Treatment  9.2 Risk Reduction  9.3 Risk Retention  9.4 Risk Avoidance  9.5 Risk Transfer  10.0 Information Security Risk Acceptance  11.0 Information Security Risk Communication  12.0 Information Security Risk Monitoring and Review  12.1 Monitoring and Review of Risk Factors  12.2 Risk Management Monitoring, Reviewing, and Improving Risk Analysis using FAIR Stage 1:  Identify scenario components Identify the asset at risk Identify the threat community Stage 2:  Evaluate Loss Event Frequency (LEF) Estimate probable Threat Event Frequency (TEF) Estimate Threat Capability (TCap) Estimate Control Strength (CS) Derive Vulnerability (Vuln) Derive Loss Event Frequency (LEF) Stage 3:  Evaluate Probable Loss Magnitude (PLM) Estimate worst-case loss Estimate Probable Loss Magnitude (PLM) Stage 4:  Derive and articulate risk SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
While ISO/IEC 27001 outlines the process for managing risk at a very high level, by defining the ISMS, ISO/IEC 27005 specifies in more detail the management of risk, although without providing specifics or identifying a methodology for determining risk level. You can see how FAIR fills the gap in ISO/IEC 27005 by providing the detailed methodology for risk assessment and risk evaluation, and is a strong compliment to the ISO/IEC 27005 process in support of the ISMS. ISO/IEC 27005 does provide guidelines for development of risk assessment context, risk communication, and treatment, but it does not provide a methodology for determining the nature and impact of the actual risk (risk assessment methodology). FAIR does provide such a methodology for determining the nature and impact of the actual risk. The combination of ISO/IEC 27005 and FAIR can therefore serve as the framework and methodology for the risk evaluation and analysis processes domain. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
ISO/IEC 27005 – FAIR Integration Model SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
Term FAIR Definition ISO Definition Specific ISO Reference Differences Asset Any data, device, or other component of the environment that supports information related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss. Anything that has value to the organization. ISO/IEC 27001 ISO/IEC 27002 ISO provides a simpler, but somewhat vague definition of asset. The FAIR definition looks at assets from the perspective of information security and the principles of confidentiality, integrity, and availability. Risk The probable frequency and probable magnitude of future loss. Combination of the probability of an event and its consequence. ISO/IEC 27002 These two definitions are nearly identical. The concepts of magnitude and consequence are synonymous. The ISO use of probability can be interpreted as likelihood, while FAIR deliberately uses frequency. Threat Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.), malicious actors, errors, failures. A potential cause of an unwanted incident, which may result in harm to a system or organization. ISO/IEC 27002 These two definitions are nearly identical. Vulner ability The probability that an asset will be unable to resist actions of a threat agent. A weakness of an asset or group of assets that can be exploited by one or ISO/IEC 27002 ISO focuses on the existence of a weakness whereas FAIR focuses on the asset's ability to resist the actions of a threat agent.
Introduction to the Landscape of Risk In general, any risk management/analysis/estimation exercise is an attempt to reconcile the relationships between four dependent sources of information – threat, loss (impact), controls, and assets – into a descriptive point of reference called ―risk‖. Each risk management standard or methodology treats these information ―landscapes‖ in a somewhat subtly different manner from others. For the purposes of helping analysts augment ISO/IEC 27005 processes with a FAIR based risk estimation, we will begin by comparing the approaches of each standard for each landscape, and discussing in general terms what sort of prior information may contribute to providing context for the factors needed in a FAIR estimation. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
Asset Landscape The asset landscape represents information concerning that which is to be protected. To perform a FAIR analysis, the analyst needs to understand the nature of the asset in question and how it relates to each of the other landscapes. As the asset intersects with the loss or impact landscape, the analyst should understand information including:  the business process(es) the asset contributes to, the cost to replace the asset,  the architecture of the asset (hardware, software, nature of services accessible, etc.), and  the resources necessary to respond to an incident (geographic location in relation to the Incident Response Team, for example). In considering the threat landscape, the analyst may find it useful to pre-suppose the applicable threat community. In doing so, information about the asset’s value to the threat can be considered, as well as the relative frequency and nature of threat contact with the asset in question. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
Asset Landscape Finally, the analyst should seek to understand aspects of the asset that will contribute to the ability to resist the actions of a threat agent (for example, the architecture of some assets may be more or less prone to vulnerability than others). It may seem to be a semantic distinction, but information regarding the nature of the asset and the organization’s ability to manage and maintain the asset contribute to our understanding of the controls landscape. Other information is useful in generating a generalized ―context as per ISO/IEC 27005:  The organization's strategic business objectives, strategies, and policies  Business processes  The organization’s functions and structure  Legal, regulatory, and contractual requirements applicable to the organization  The organization's information security policy  The organization’s overall approach to risk management  Information assets  Locations of the organization and their geographical characteristics  Constraints affecting the organization  Expectation of stakeholders Socio-cultural environment SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
The Information Security Management System (ISMS) is fundamentally a process, composed of tasks that transform input information into desired outputs. Thus, a task cannot be performed before all of its required inputs are available. FAIR decomposes the calculation of risk into its components, which constrains the precedence for task sequence. A third influence on task sequence is the series of one- to-many relationships among the data elements found in FAIR. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
ISMS Component Relationships SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf ASSET IMPACT CONTROL VULNERABILIT Y THREAT AGENT THREAT If exploited, may cause 1 or more May result in May deliver upon Must have 1 and only 1 May exploit 1 or more May be reduced by 1 or more If implemented may reduce May be associated with zero or more Has adverse effect upon 1 and only 1 May be affected by zero or more May be realised through 1 or more
This section presents the process for risk management, focusing on the inputs, actions, and outputs. The sequence of steps. Key input data (identified with underscores). This section provides the detailed explanation for the actions. Most text is drawn from ISO, with FAIR concepts presented in italics. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf INPUTS ACTIONS - ISO OUTPUTS 1. Context Establishment i. General Considerations All information about the organization relevant to establish the information security risk management context. Establish the context for information security risk management:  Setting the basic criteria necessary for information security risk management  Defining the scope and boundaries  Establishing an appropriate organization operating the information security risk management A. Specification of basic risk evaluation criteria B. Scope and boundaries for risk analysis
ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS STAGE 1: Identify Scenario Components Identify the asset at risk: I. Scope and boundaries for risk analysis i. List of constituents with owners, location, function, etc. 1. List of assets to be risk managed A. List of assets to be risk managed Identify the threat community: ii. Information on threats, from reviewing incidents, asset owners, users, external threat catalogues, other sources 2. For each asset, identify the threat agent (e.g., insiders such as employees, contract workers; outsiders such as spies, thieves, competitors) 3. For each threat agent, define the action and identify the contact 4. Record the title and description of the threat B. List of threats, with identification of threat type and threat source C. Threat title and description
ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS STAGE 2: Estimate Loss Event Frequency (LEF) Estimate probable Threat Event Frequency (TEF): I. List of assets to be risk managed II. List of threats, with identification of evidences of frequency 5. Estimate the Threat Event Frequency (TEF) 6. For each threat, identify vulnerabilities that could be exploited by the threat agent A. Threat Event Frequency (TEF) B. List of vulnerabilities in relation to assets, threats, and controls Estimate Threat Capability (TCap): III. List of vulnerabilities in relation to assets, threats, and controls 7. Estimate the threat's capabilities relative to each vulnerability C. Threat capability Estimate Control Strength (CS): i. Documentation of controls ii. Documentation risk treatment implementation plans. IV. Threat capability 8. For each vulnerability, identify existing controls that reduce the vulnerability 9. Evaluate the control strength for each control D. Control Strength (CS) – List of all existing and planned controls, their effectiveness, implementation, and usage status
ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS STAGE 2: Estimate Loss Event Frequency (LEF) Derive Vulnerability (Vuln): VII. Control Strength (CS) – List of all existing and planned controls, their effectiveness, implementation, and usage status 11 Calculate Vulnerability (Vuln) A. D2 Vulnerability (Vuln) Derive Loss Event Frequency (LEF): VIII. Threat Event Frequency (TEF) IX. List of all existing and planned controls, their effectiveness, implementation, and usage status X. Vulnerability (Vuln) 12 Calculate Loss Event Frequency (LEF) A. H2 Loss Event Frequency (LEF)
ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS STAGE 3: Evaluate Probable Loss Magnitude (PLM) Estimate worst-case loss: Estimate Probable Loss Magnitude (PLM) for each threat XI. Threat title and description 13. Estimate potential impacts for each threat A. Probable Loss Magnitude (PLM) for each threat STAGE 4: Derive and Articulate Risk XII. Specification of basic risk evaluation criteria XIII.Vulnerability (Vuln) XIV.Loss Event Frequency (LEF) XV. Probable Loss Magnitude (PLM) 14. Calculate risk 15. Produce risk reports A. I1 Risk B. List of risks prioritized according to risk evaluation criteria in relation to the incident scenarios that lead to those risks C. Prioritized control improvements
ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS I. Information security risk treatment II. General description of risk treatment i. List of risks prioritized according to risk evaluation criteria in relation to the incident scenarios that lead to those risks  Select controls to reduce, retain, avoid, or transfer the risks  Prepare a risk treatment plan A. Risk treatment plan B. Residual risks subject to the acceptance decision of the organization’s managers III. Risk Reduction  Reduce risk by selecting controls so that the residual risk can be reassessed as being acceptable IV. Risk Retention  Decide to retain the risk without further action, based on risk evaluation V. Risk Avoidance  Avoid the activity or condition that gives rise to the particular risk VI. Risk Transfer  Transfer the risk to another party that can most effectively manage the particular risk, based on risk evaluation
ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS VII. Information Security Risk Acceptance i. Risk treatment plan ii. Residual risk assessment subject to the acceptance decision of the organization’s managers  The decision to accept the risks and responsibilities for the decision should be made and formally recorded.  List of accepted risks with justification for those that do not meet the organization’s normal risk acceptance criteria IX. Information Security Risk Communication i. All risk information obtained from the risk management activities  Information about risk should be exchanged and/or shared between the decision-maker and other stakeholders.  Continual understanding of the organization’s information security risk management process and results
ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS X. Information Security Risk Monitoring and Review i. Monitoring and Review of Risk Factors All risk information obtained from the risk management activities  Monitor and review risks and their factors (i.e., value of assets, impacts, threats, vulnerabilities, likelihood of occurrence) to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture  Continual alignment of the management of risks with the organization’s business objectives, and with risk acceptance criteria XI. Risk Management Monitoring, Reviewing, and Improving All risk information obtained from the risk management activities  Continual relevance of the information security risk management process to the organization’s business objectives or updating the process
1. General Considerations a) Establish the context for information security risk management: i. Setting the basic criteria necessary for information security risk management (ISO/IEC 27005 §7.2) ii. Defining the scope and boundaries (ISO/IEC 27005 §7.3) iii. Establishing an appropriate organization operating the information security risk management (ISO/IEC 27005 §7.4) b) The organization must have the resources to appropriately engage in a risk management process. These resources must include the following: i. Perform risk assessments ii. Develop risk treatment plans iii. Define and implement policies and procedures to implement selected controls iv. Monitor implemented controls v. Monitor the overall risk management process Without such resources, establishing a risk management process will set expectations of the organization that cannot be met. This task should be performed from an organizational perspective for the overall development of the ISMS, but also considered for each risk assessment to ensure success of the risk assessment results.
2. Risk Acceptance Criteria Developing a set of risk acceptance criteria based on the goals and objectives of the organization is important to have as an integral part of the ISMS. This assists in the development of risk treatment plans. Developing a list of risk acceptance criteria sets the groundwork for determining what risks the organization is capable of accepting, in general terms. This is probably done once when developing the ISMS, but may need to be adjusted for each risk assessment performed at the time of risk treatment plan development. Risk acceptance criteria should be developed and specified. Risk acceptance criteria often depend on the organization's policies, goals, objectives, and the interests of stakeholders.
2. Risk Acceptance Criteria An organization should define its own scales for levels of risk acceptance. The following should be considered during development: a) Risk acceptance criteria may include multiple thresholds, with a desired target level of risk, but provision for senior managers to accept risks above this level under defined circumstances. b) Different risk acceptance criteria may apply to different classes of risk; e.g., risks that could result in non-compliance with regulations or laws may not be accepted, while acceptance of high risks may be allowed if this is specified as a contractual requirement. c) Risk acceptance criteria may include requirements for future additional treatment; e.g., a risk may be accepted if there is approval and commitment to take action to reduce it to an acceptable level within a defined time period. d) Risk acceptance criteria may differ according to how long the risk is expected to exist; e.g., the risk may be associated with a temporary or short-term activity.
2. Risk Acceptance Criteria In developing the risk acceptance criteria, the following should be considered: a) Business criteria b) Legal and regulatory aspects c) Operational considerations d) Technological aspects e) Financial considerations f) Social and humanitarian factors Place the organization’s generalized risk acceptance criteria from the ISMS. Consider whether there are specific risk acceptance criteria for the risk assessment under consideration.
3. Calculate Risk Stage 1 a) Identify each asset (e.g., information, application, etc.) and scope the asset (e.g., enterprise, business unit, etc.). Describe the Asset(s) and Critical Attributes under Consideration a) Identification and description of the assets under consideration during a risk assessment is critical. b) Identify the asset(s) under consideration during this risk assessment.
3. Calculate Risk Stage 1 Describe the Threat(s) to the Asset(s) under Consideration a) For each asset, identify the threat agent(s) (e.g., insiders such as employees, contract workers; outsiders such as spies, thieves, competitors). b) For each threat agent describe the frequency with which threat agents may come into contact with the asset(s) under consideration. c) For each threat agent, estimate the probability that they will act against the asset(s). d) Define the potential action and describe the threat(s).
3. Calculate Risk Stage 2 a) Estimate the Loss Event Frequency (LEF). b) The Loss Event Frequency (LEF) considers the following factors: i. Threat Event Frequency (TEF), ii. Threat Capability (TCap), iii. Control Strength (CS), and iv. Vulnerability (Vuln). Estimate the Probable Threat Event Frequency (TEF) a) Estimate the probable Threat Event Frequency (TEF).
3. Calculate Risk Stage 2 Estimate the Probable Threat Event Frequency (TEF) a) The following table shows the ratings for the values of the Threat Event Frequency (TEF).
3. Calculate Risk Stage 2 Estimate the Threat Capability (TCap) a) Estimate the Threat Capability (TCap), which is the capability that the threat community has to act against the asset using a specific threat. b) The following table shows the ratings for the values of Threat Capability (TCap).
3. Calculate Risk Stage 2 Estimate the Control Strength (CS) a) Estimate the Control Strength (CS), which represents the probability that the organization’s controls will be able to withstand a baseline measure of force. b) The following table shows the ratings for the values of Control Strength (CS).
3. Calculate Risk Stage 2 Derive the Vulnerability (Vuln) a) Derive the Vulnerability (Vuln) using the vulnerability matrix below. b) Locate the intersection of Threat Capability (TCap) and Control Strength (CS). Control Strength (CS) Vulnerability (Vuln)
3. Calculate Risk Stage 2 Derive Loss Event Frequency (LEF) a) Derive the Loss Event Frequency (LEF) using the Loss Event Frequency (LEF) matrix below. b) Locate the intersection of Threat Event Frequency (TEF) and Vulnerability (Vuln) to derive Loss Event Frequency (LEF) Vulnerability(Vuln) Loss Event Frequency (LEF)
3. Calculate Risk Stage 3 a) Evaluate the Probable Loss Magnitude (PLM). b) Determine the probable impact of the loss. This is identified as the Probable Loss Magnitude (PLM). This includes estimating the worst-case scenario as well as the most probable scenario(s) of loss. Estimate the Worst-Case Loss and Probable Loss Magnitude (PLM) a) Use the following values to determine the magnitudes for the worst-case scenarios and Probably Loss Magnitude (PLM) for each appropriate threat action and loss form. The range values should be adjusted appropriately to meet the needs of the organization.
3. Calculate Risk Stage 4 a) Derive and articulate risk. Derive the Risk Magnitude a) Once we have estimates of Loss Event Frequency (LEF) and Probable Loss Magnitude (PLM), we are able to derive the risk value from the risk matrix below. b) The following matrix is used to derive risk using Probable Loss Magnitude (PLM) and Loss Event Frequency (LEF). c) Identify the intersection of the Probable Loss Magnitude (PLM) and Loss Event Frequency (LEF). Risk Loss Event Frequency (LEF) Key Risk Values
3. Calculate Risk Stage 4 Articulate the Real Risk a) The real challenge has to do with articulating this risk value to the decision-makers. b) This can be performed using the information gathered through this entire process using the ISO/IEC 27005 communication framework. c) A major consideration of communicating risk levels is the association of qualitative labelling with a tendency to equate ―high-risk‖ with ―unacceptable‖, and ―low-risk with ―acceptable. d) In fact, in some circumstances high-risk is entirely acceptable (e.g., in cases where the potential for reward outweighs the risk). e) In other situations, a relatively low-risk condition may be unacceptable, particularly if the exposure is systemic within an organization. Including more specific information regarding Loss Event Frequency (LEF) and Probable Loss Magnitude (PLM) can help to reduce the bias associated with qualitative risk labels. f) In summary, risk articulation must meet the needs of the decision-makers. When using qualitative labels for range values, it is imperative to ensure that management agrees with the criteria for each range/level.
4. Develop an Information Security Risk Communication Plan The four options available for risk treatment are: a) Risk Reduction – Actions taken to lessen the probability, negative consequences, or both, associated with a risk. b) Risk Avoidance – Decision not to become involved in, or action to withdraw from, a risk situation. c) Risk Transfer – Sharing with another party the burden of loss or benefit of gain, for a risk. d) Risk Retention – Acceptance of the burden of loss or benefit of gain from a particular risk. The four options for risk treatment are not mutually-exclusive. Sometimes the organization can benefit substantially by a combination of options. Some risk treatments can effectively address more than one risk. A risk treatment plan should be defined which clearly identifies the priority ordering in which individual risk treatments should be implemented and their timeframes.
5. Determine the Appropriate Information Risk Treatment Plan a) The steps involved in risk communication is a bi-directional process designed to achieve agreement on how to manage risks by exchanging and/or sharing information about risk between the decision-makers and other stakeholders. b) Effective communication among stakeholders is important since this may have a significant impact on decisions that must be made. c) Communication will ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and why particular actions are required. d) Perceptions of risk can vary due to differences in assumptions, concepts, and the needs, issues, and concerns of stakeholders as they relate to risk or the issues under discussion. e) Stakeholders are likely to make judgments on the acceptability of risk based on their perception of risk. f) This is especially important to ensure that the stakeholders’ perceptions of risk, as well as their perceptions of benefits, can be identified and documented and the underlying reasons clearly understood and addressed.
6. Describe the Information Security Risk Monitoring and Review Plan Risks are not static. Threats, vulnerabilities, likelihood, or consequences may change abruptly without any indication. Therefore, constant monitoring is necessary to detect these changes. Organizations should ensure that the following are continually monitored: a) New assets that have been included in the risk management scope b) Necessary modification of asset values; e.g., due to changed business requirements c) New threats that could be active both inside and outside the organization and that have not been assessed d) Possibility that new or increased vulnerabilities could allow threats to exploit these new or changed vulnerabilities e) Identified vulnerabilities to determine those becoming exposed to new or re-emerging threats f) Increased impact or consequences of assessed threats, vulnerabilities, and risks in aggregation resulting in an unacceptable level of risk g) Information security incidents New threats, vulnerabilities, or changes in probability or consequences can increase risks previously assessed as low. Review of low and accepted risks should consider each risk separately, and all such risks as an aggregate as well, to assess their potential accumulated impact if risks do not fall into the low or acceptable risk category.
ISO 27005 - Digital Trust Framework

Recommandé

ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment.AIR UNIVERSITY ISLAMABAD
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 

Recommandé

ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment.AIR UNIVERSITY ISLAMABAD
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISONIKELtd
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013Magda CHELLY, Ph.D, S-CISO, CISSP®
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000Ramana K V
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Cloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCristian Garcia G.
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesCertification Europe
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 

Contenu connexe

Tendances

ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISONIKELtd
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000Ramana K V
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Cloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCristian Garcia G.
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesCertification Europe
 

Tendances (20)

ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition Arragements
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Cloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCloud Security Strategy by McAfee
Cloud Security Strategy by McAfee
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and Challenges
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
 

Similaire à ISO 27005 - Digital Trust Framework

20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxNapoleon NV
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Key Features of ISO 27001
Key Features of ISO 27001Key Features of ISO 27001
Key Features of ISO 27001zahirazahid
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Taking Control of Information Security
Taking Control of Information SecurityTaking Control of Information Security
Taking Control of Information SecurityPECB
 
541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdfSharudinBoriak1
 

Similaire à ISO 27005 - Digital Trust Framework (20)

20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptx
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Key Features of ISO 27001
Key Features of ISO 27001Key Features of ISO 27001
Key Features of ISO 27001
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Taking Control of Information Security
Taking Control of Information SecurityTaking Control of Information Security
Taking Control of Information Security
 
541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf
 

Plus de Maganathin Veeraragaloo

Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Enterprise security architecture approach
Enterprise security architecture approachEnterprise security architecture approach
Enterprise security architecture approachMaganathin Veeraragaloo
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 

Plus de Maganathin Veeraragaloo (20)

MULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTUREMULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTURE
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)
 
Cloud security (domain6 10)
Cloud security (domain6 10)Cloud security (domain6 10)
Cloud security (domain6 10)
 
Cloud Security (Domain1- 5)
Cloud Security (Domain1- 5)Cloud Security (Domain1- 5)
Cloud Security (Domain1- 5)
 
BTABOK / ITABOK
BTABOK / ITABOKBTABOK / ITABOK
BTABOK / ITABOK
 
Observability
ObservabilityObservability
Observability
 
Foresight 4 Cybersecurity
Foresight 4 CybersecurityForesight 4 Cybersecurity
Foresight 4 Cybersecurity
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
ITIL4 - DIGITAL TRUST FRAMEWORK
ITIL4 - DIGITAL TRUST FRAMEWORKITIL4 - DIGITAL TRUST FRAMEWORK
ITIL4 - DIGITAL TRUST FRAMEWORK
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
 
Open Digital Framework from TMFORUM
Open Digital Framework from TMFORUMOpen Digital Framework from TMFORUM
Open Digital Framework from TMFORUM
 
Enterprise security architecture approach
Enterprise security architecture approachEnterprise security architecture approach
Enterprise security architecture approach
 
Cloud and Data Privacy
Cloud and Data PrivacyCloud and Data Privacy
Cloud and Data Privacy
 
XaaS Overview
XaaS OverviewXaaS Overview
XaaS Overview
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
 
Multi Cloud Architecture Approach
Multi Cloud Architecture ApproachMulti Cloud Architecture Approach
Multi Cloud Architecture Approach
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

ISO 27005 - Digital Trust Framework

  • 1. DIGITAL TRUST FRAMEWORK (DTF) Maganathin Veeraragaloo 7th December 2021
  • 2. The TMForum's Open Digital Architecture (ODA)will be used as the cornerstone for this Framework https://www.tmforum.org/oda/ ODA was initially designed for the Telecommunications Industry inclusive of 5G Services. The Digital Trust Framework is developed for the 4IR Environment The Digital Trust Framework (DTF) will be a blueprint for modular, cloud-based, open digital platforms that can be orchestrated using AI ODA will be integrated with COBIT 2019, ITIL 4 and ISO 27005 RISK MANAGER – this is to ensure an overall Digital Trust approach for a continuous evolving SYSTEMS Environment
  • 3. Transformation Tools As-Is Applications Transformation Toolkits Maturity Tools Metrics Maturity Models Data Benchmark Data AI Training Data DIGITAL TRUST FRAMEWORK DIGITAL TRUST ARCHITECTURE Governance Concepts & Principles Design Guides Microservices Architecture Governance AI Governance Data Governance Security Governance Agile Lifecycle Management Business Deployment & Run Information Systems Implementation Business Capability Repository Process Framework Information Framework Integration Framework Functional Framework & Architecture Canvas Operation Frameworks Reference Implementation Technical Architecture Components Open API’s Data Model
  • 4. ITIL 4 Capability Framework DIGITAL TRUST FRAMEWORK Governance & Processes Cybersecurity Mesh Architecture
  • 6.
  • 8. The first of these is ISO 31000. Because of its general context, it provides overall guidelines to any area of risk management (i.e., finance, engineering, security, among others). Although most organizations already have a defined methodology in place to manage risks, this new standard defines a set of principles that must be followed in order to ensure the effectiveness of risk management. It suggests that companies should continually develop, implement, and improve a framework whose goal is to integrate the process for managing risks associated with governance, strategy, and planning, as well as management, the reporting of data and results, policies, values and culture throughout the entire organization. https://theriskacademy.org/is0-31000-iso-27005/
  • 9. Risk Management Best Practices for ISO 31000 Although ISO 31000 depicts the management process more thoroughly, and has differing terms and expressions, both standards address the risk management process in a similar fashion. According to ISO 31000, organizations typically determine the context and manage risk by identifying it, analysing it, and subsequently assessing whether the risk should be modified by a strategic approach so as to comply with its risk criteria. Throughout this entire process, these organizations must communicate and consult with stakeholders, while critically monitoring and analysing the risk and controls that modify it, so as to ensure that no additional risk management approach will be required. https://theriskacademy.org/is0-31000-iso-27005/
  • 10. The other is ISO 27005. Part of the ISO 27000 since 2008, this standard establishes risk management best practices specifically geared towards risk management for information security, particularly with regards to complying with the requirements of an Information Security Management System (ISMS), as mandated by ISO/IEC 27001. It establishes that risk management best practices should be defined in accordance with the characteristics of the organization, taking into account the scope of its ISMS, the risk management context, as well as its industry. According to the framework described in this standard for implementing the requirements of ISMS, several different methodologies may be used and different approaches to risk management as it relates to information security may are introduced in the appendix of the document. https://theriskacademy.org/is0-31000-iso-27005/
  • 11. Risk Management Best Practices for ISO 27005 As for ISO 27005, risk management as it relates to information security should define the context, evaluate the risks, and address them through a plan, in order to implement the recommendations and decisions. Risk management analyses the potential events and its consequences prior to deciding what to do and when to do it, so as to reduce risks to an acceptable level. Additionally, the standard includes decisions on the analysis and treatment of risks, since risk acceptance activities will ensure that residual risks be explicitly accepted by company management. This is particularly important in situations where control implementation is either omitted or postponed, for example, because of cost. https://theriskacademy.org/is0-31000-iso-27005/
  • 12. SO 27005 is the international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001. Risk assessments are one of the most important parts of an organisation’s ISO 27001 compliance project. ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied. ISO 27005 is applicable to all organisations, regardless of size or sector. It supports the general concepts specified in ISO 27001, and is designed to assist the satisfactory implementation of information security based on a risk management approach. https://theriskacademy.org/is0-31000-iso-27005/
  • 13. Information security risk management is integral to information security management. It defines the process of analysing what could happen and what the consequences might be, and helps organisations determine what should be done and when to reduce risk to an acceptable level. Information security risk management should be a continual process that contributes to: Identifying and assessing risk; Understanding risk likelihood and the consequences for the business; Establishing a priority order for risk treatment; Stakeholder involvement in risk management decisions; The effectiveness of risk treatment monitoring; and Staff awareness of risks and the actions being taken to mitigate them. Organisations should adopt a systematic approach to information security risk to accurately determine their information security needs. https://theriskacademy.org/is0-31000-iso-27005/
  • 14. Although ISO 27005 does not specify any specific risk management methodology, it does imply a continual information risk management process based on six key components: 1. Context establishment 2. Risk assessment 3. Risk treatment 4. Risk acceptance 5. Risk acceptance 6. Risk monitoring and review https://theriskacademy.org/is0-31000-iso-27005/
  • 15. 1. Context Establishment: The risk management context sets the criteria for how risks are identified, who is responsible for risk ownership, how risks impact the confidentiality, integrity and availability of the information, and how risk impact and likelihood are calculated. 2. Risk Assessment: Many organisations choose to follow an asset-based risk assessment process comprising five key stages: i. Compiling information assets. ii. Identifying the threats and vulnerabilities applicable to each asset. iii. Assigning impact and likelihood values based on risk criteria. iv. Evaluating each risk against predetermined levels of acceptability. v. Prioritising which risks need to be addressed, and in which order. https://theriskacademy.org/is0-31000-iso-27005/
  • 16. 3. Risk Treatment: There are four ways to treat a risk: i. Avoid’ the risk by eliminating it entirely. ii. ‘Modify’ the risk by applying security controls. iii. ‘Share’ the risk with a third party (through insurance or outsourcing). iv. ‘Retain’ the risk (if the risk falls within established risk acceptance criteria). 4. Risk Acceptance: Organisations should determine their own criteria for risk acceptance that consider existing policies, goals, objectives and shareholder interests. https://theriskacademy.org/is0-31000-iso-27005/
  • 17. 5. Risk Communication and Consultation: Effective communication is pivotal to the information security risk management process. It ensures that those responsible for implementing risk management understand the basis on which decisions are made, and why certain actions are required. Sharing and exchanging information about risk also facilitates agreement between decision makers and other stakeholders on how to manage risk. Risk communication activity should be performed continually, and organisations should develop risk communication plans for normal operations as well as emergency situations. 6. Risk Monitoring and Review: Risks are not static and can change abruptly. Therefore, they should be continually monitored in order to quickly identify changes and maintain a complete overview of the risk picture. Organisations should also keep a close eye on:  Any new assets included within the risk management scope;  Asset values that require modification in response to changing business requirements;  New threats, whether external or internal, that have yet to be assessed; and  Information security incidents. https://theriskacademy.org/is0-31000-iso-27005/
  • 18. Unlike other popular risk management standards that adopt a one-size-fits-all approach, ISO 27005 is flexible in nature and allows organisations to select their own approach to risk assessment based on their specific business objectives. ISO 27005 follows a simple, repeatable structure with each of the main clauses organised into the following four sections:  Input: the information necessary to perform an action.  Action: the activity itself.  Implementation guidance: any additional detail.  Output: the information that should have been generated by the activity. This consistent approach helps to ensure that organisations have all the information required before beginning any risk management activity. ISO 27005 also supports ISO 27001 compliance, as the latter standard specifies that any controls implemented within the context of an ISMS (information security management system) should be risk based. Implementing an ISO 27005-compliant information security risk management process can satisfy this requirement. https://theriskacademy.org/is0-31000-iso-27005/
  • 20. ISO/IEC 27001 describes a general process for the ISMS, and in that context ISO/IEC 27005 defines the approach to managing risk. FAIR provides a methodology for analysing risk. This section describes how the FAIR methodology can be used to analyse risk in the context of ISO/IEC 27005 and the ISMS. ISO/IEC 27005 and ISO/IEC 27001 provides the foundation for the risk management portion of the ISMS:  Define the risk assessment approach of the organization  Identify the risks  Analyse and evaluate the risks  Identify and evaluate options for the treatment of risks  Select control objectives and controls for the treatment of risks Obtain management approval of the proposed residual risks This generally outlines the process for managing risk at a very high level. ISO/IEC 27005 specifies in more detail the management of risk without providing specifics or identifying a methodology for determining risk level. FAIR provides a methodology to achieve the steps shown above, specifically ―identify the risks‖ and ―analyse and evaluate the risks. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 24.  7.0 Context Establishment  7.1 General Considerations  7.2 Basic Criteria  7.3 Scope and Boundaries  7.4 Organization of Information Security Risk Management  8.0 Information Security Risk Assessment  8.1 General Description of Information Security Risk Assessment  8.2 Risk Analysis  8.2.1 Risk Identification  8.2.1.1 Introduction to risk identification  8.2.1.2 Identification of assets  8.2.1.3 Identification of threats  8.2.1.4 Identification of existing controls  8.2.1.5 Identification of vulnerabilities  8.2.1.6 Identification of consequences  8.2.2 Risk estimation  8.2.2.1 Risk estimation methodologies  8.2.2.2 Assessment of consequences  8.2.2.3 Assessment of incident likelihood  8.2.2.4 Level of risk estimation  8.3 Risk Evaluation  9.0 Information Security Risk Treatment  9.1 General Description of Risk Treatment  9.2 Risk Reduction  9.3 Risk Retention  9.4 Risk Avoidance  9.5 Risk Transfer  10.0 Information Security Risk Acceptance  11.0 Information Security Risk Communication  12.0 Information Security Risk Monitoring and Review  12.1 Monitoring and Review of Risk Factors  12.2 Risk Management Monitoring, Reviewing, and Improving Risk Analysis using FAIR Stage 1:  Identify scenario components Identify the asset at risk Identify the threat community Stage 2:  Evaluate Loss Event Frequency (LEF) Estimate probable Threat Event Frequency (TEF) Estimate Threat Capability (TCap) Estimate Control Strength (CS) Derive Vulnerability (Vuln) Derive Loss Event Frequency (LEF) Stage 3:  Evaluate Probable Loss Magnitude (PLM) Estimate worst-case loss Estimate Probable Loss Magnitude (PLM) Stage 4:  Derive and articulate risk SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 25. While ISO/IEC 27001 outlines the process for managing risk at a very high level, by defining the ISMS, ISO/IEC 27005 specifies in more detail the management of risk, although without providing specifics or identifying a methodology for determining risk level. You can see how FAIR fills the gap in ISO/IEC 27005 by providing the detailed methodology for risk assessment and risk evaluation, and is a strong compliment to the ISO/IEC 27005 process in support of the ISMS. ISO/IEC 27005 does provide guidelines for development of risk assessment context, risk communication, and treatment, but it does not provide a methodology for determining the nature and impact of the actual risk (risk assessment methodology). FAIR does provide such a methodology for determining the nature and impact of the actual risk. The combination of ISO/IEC 27005 and FAIR can therefore serve as the framework and methodology for the risk evaluation and analysis processes domain. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 26. ISO/IEC 27005 – FAIR Integration Model SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 27. Term FAIR Definition ISO Definition Specific ISO Reference Differences Asset Any data, device, or other component of the environment that supports information related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss. Anything that has value to the organization. ISO/IEC 27001 ISO/IEC 27002 ISO provides a simpler, but somewhat vague definition of asset. The FAIR definition looks at assets from the perspective of information security and the principles of confidentiality, integrity, and availability. Risk The probable frequency and probable magnitude of future loss. Combination of the probability of an event and its consequence. ISO/IEC 27002 These two definitions are nearly identical. The concepts of magnitude and consequence are synonymous. The ISO use of probability can be interpreted as likelihood, while FAIR deliberately uses frequency. Threat Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.), malicious actors, errors, failures. A potential cause of an unwanted incident, which may result in harm to a system or organization. ISO/IEC 27002 These two definitions are nearly identical. Vulner ability The probability that an asset will be unable to resist actions of a threat agent. A weakness of an asset or group of assets that can be exploited by one or ISO/IEC 27002 ISO focuses on the existence of a weakness whereas FAIR focuses on the asset's ability to resist the actions of a threat agent.
  • 28. Introduction to the Landscape of Risk In general, any risk management/analysis/estimation exercise is an attempt to reconcile the relationships between four dependent sources of information – threat, loss (impact), controls, and assets – into a descriptive point of reference called ―risk‖. Each risk management standard or methodology treats these information ―landscapes‖ in a somewhat subtly different manner from others. For the purposes of helping analysts augment ISO/IEC 27005 processes with a FAIR based risk estimation, we will begin by comparing the approaches of each standard for each landscape, and discussing in general terms what sort of prior information may contribute to providing context for the factors needed in a FAIR estimation. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 30. Asset Landscape The asset landscape represents information concerning that which is to be protected. To perform a FAIR analysis, the analyst needs to understand the nature of the asset in question and how it relates to each of the other landscapes. As the asset intersects with the loss or impact landscape, the analyst should understand information including:  the business process(es) the asset contributes to, the cost to replace the asset,  the architecture of the asset (hardware, software, nature of services accessible, etc.), and  the resources necessary to respond to an incident (geographic location in relation to the Incident Response Team, for example). In considering the threat landscape, the analyst may find it useful to pre-suppose the applicable threat community. In doing so, information about the asset’s value to the threat can be considered, as well as the relative frequency and nature of threat contact with the asset in question. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 31. Asset Landscape Finally, the analyst should seek to understand aspects of the asset that will contribute to the ability to resist the actions of a threat agent (for example, the architecture of some assets may be more or less prone to vulnerability than others). It may seem to be a semantic distinction, but information regarding the nature of the asset and the organization’s ability to manage and maintain the asset contribute to our understanding of the controls landscape. Other information is useful in generating a generalized ―context as per ISO/IEC 27005:  The organization's strategic business objectives, strategies, and policies  Business processes  The organization’s functions and structure  Legal, regulatory, and contractual requirements applicable to the organization  The organization's information security policy  The organization’s overall approach to risk management  Information assets  Locations of the organization and their geographical characteristics  Constraints affecting the organization  Expectation of stakeholders Socio-cultural environment SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 32.
  • 33. The Information Security Management System (ISMS) is fundamentally a process, composed of tasks that transform input information into desired outputs. Thus, a task cannot be performed before all of its required inputs are available. FAIR decomposes the calculation of risk into its components, which constrains the precedence for task sequence. A third influence on task sequence is the series of one- to-many relationships among the data elements found in FAIR. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 34. ISMS Component Relationships SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf ASSET IMPACT CONTROL VULNERABILIT Y THREAT AGENT THREAT If exploited, may cause 1 or more May result in May deliver upon Must have 1 and only 1 May exploit 1 or more May be reduced by 1 or more If implemented may reduce May be associated with zero or more Has adverse effect upon 1 and only 1 May be affected by zero or more May be realised through 1 or more
  • 35. This section presents the process for risk management, focusing on the inputs, actions, and outputs. The sequence of steps. Key input data (identified with underscores). This section provides the detailed explanation for the actions. Most text is drawn from ISO, with FAIR concepts presented in italics. SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
  • 36. ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR SOURCE: https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf INPUTS ACTIONS - ISO OUTPUTS 1. Context Establishment i. General Considerations All information about the organization relevant to establish the information security risk management context. Establish the context for information security risk management:  Setting the basic criteria necessary for information security risk management  Defining the scope and boundaries  Establishing an appropriate organization operating the information security risk management A. Specification of basic risk evaluation criteria B. Scope and boundaries for risk analysis
  • 37. ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS STAGE 1: Identify Scenario Components Identify the asset at risk: I. Scope and boundaries for risk analysis i. List of constituents with owners, location, function, etc. 1. List of assets to be risk managed A. List of assets to be risk managed Identify the threat community: ii. Information on threats, from reviewing incidents, asset owners, users, external threat catalogues, other sources 2. For each asset, identify the threat agent (e.g., insiders such as employees, contract workers; outsiders such as spies, thieves, competitors) 3. For each threat agent, define the action and identify the contact 4. Record the title and description of the threat B. List of threats, with identification of threat type and threat source C. Threat title and description
  • 38. ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS STAGE 2: Estimate Loss Event Frequency (LEF) Estimate probable Threat Event Frequency (TEF): I. List of assets to be risk managed II. List of threats, with identification of evidences of frequency 5. Estimate the Threat Event Frequency (TEF) 6. For each threat, identify vulnerabilities that could be exploited by the threat agent A. Threat Event Frequency (TEF) B. List of vulnerabilities in relation to assets, threats, and controls Estimate Threat Capability (TCap): III. List of vulnerabilities in relation to assets, threats, and controls 7. Estimate the threat's capabilities relative to each vulnerability C. Threat capability Estimate Control Strength (CS): i. Documentation of controls ii. Documentation risk treatment implementation plans. IV. Threat capability 8. For each vulnerability, identify existing controls that reduce the vulnerability 9. Evaluate the control strength for each control D. Control Strength (CS) – List of all existing and planned controls, their effectiveness, implementation, and usage status
  • 39. ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS STAGE 2: Estimate Loss Event Frequency (LEF) Derive Vulnerability (Vuln): VII. Control Strength (CS) – List of all existing and planned controls, their effectiveness, implementation, and usage status 11 Calculate Vulnerability (Vuln) A. D2 Vulnerability (Vuln) Derive Loss Event Frequency (LEF): VIII. Threat Event Frequency (TEF) IX. List of all existing and planned controls, their effectiveness, implementation, and usage status X. Vulnerability (Vuln) 12 Calculate Loss Event Frequency (LEF) A. H2 Loss Event Frequency (LEF)
  • 40. ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS STAGE 3: Evaluate Probable Loss Magnitude (PLM) Estimate worst-case loss: Estimate Probable Loss Magnitude (PLM) for each threat XI. Threat title and description 13. Estimate potential impacts for each threat A. Probable Loss Magnitude (PLM) for each threat STAGE 4: Derive and Articulate Risk XII. Specification of basic risk evaluation criteria XIII.Vulnerability (Vuln) XIV.Loss Event Frequency (LEF) XV. Probable Loss Magnitude (PLM) 14. Calculate risk 15. Produce risk reports A. I1 Risk B. List of risks prioritized according to risk evaluation criteria in relation to the incident scenarios that lead to those risks C. Prioritized control improvements
  • 41. ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS I. Information security risk treatment II. General description of risk treatment i. List of risks prioritized according to risk evaluation criteria in relation to the incident scenarios that lead to those risks  Select controls to reduce, retain, avoid, or transfer the risks  Prepare a risk treatment plan A. Risk treatment plan B. Residual risks subject to the acceptance decision of the organization’s managers III. Risk Reduction  Reduce risk by selecting controls so that the residual risk can be reassessed as being acceptable IV. Risk Retention  Decide to retain the risk without further action, based on risk evaluation V. Risk Avoidance  Avoid the activity or condition that gives rise to the particular risk VI. Risk Transfer  Transfer the risk to another party that can most effectively manage the particular risk, based on risk evaluation
  • 42. ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS VII. Information Security Risk Acceptance i. Risk treatment plan ii. Residual risk assessment subject to the acceptance decision of the organization’s managers  The decision to accept the risks and responsibilities for the decision should be made and formally recorded.  List of accepted risks with justification for those that do not meet the organization’s normal risk acceptance criteria IX. Information Security Risk Communication i. All risk information obtained from the risk management activities  Information about risk should be exchanged and/or shared between the decision-maker and other stakeholders.  Continual understanding of the organization’s information security risk management process and results
  • 43. ISO Inputs, Required Actions, and Outputs and how they can be used in FAIR INPUTS ACTIONS - ISO OUTPUTS X. Information Security Risk Monitoring and Review i. Monitoring and Review of Risk Factors All risk information obtained from the risk management activities  Monitor and review risks and their factors (i.e., value of assets, impacts, threats, vulnerabilities, likelihood of occurrence) to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture  Continual alignment of the management of risks with the organization’s business objectives, and with risk acceptance criteria XI. Risk Management Monitoring, Reviewing, and Improving All risk information obtained from the risk management activities  Continual relevance of the information security risk management process to the organization’s business objectives or updating the process
  • 44. 1. General Considerations a) Establish the context for information security risk management: i. Setting the basic criteria necessary for information security risk management (ISO/IEC 27005 §7.2) ii. Defining the scope and boundaries (ISO/IEC 27005 §7.3) iii. Establishing an appropriate organization operating the information security risk management (ISO/IEC 27005 §7.4) b) The organization must have the resources to appropriately engage in a risk management process. These resources must include the following: i. Perform risk assessments ii. Develop risk treatment plans iii. Define and implement policies and procedures to implement selected controls iv. Monitor implemented controls v. Monitor the overall risk management process Without such resources, establishing a risk management process will set expectations of the organization that cannot be met. This task should be performed from an organizational perspective for the overall development of the ISMS, but also considered for each risk assessment to ensure success of the risk assessment results.
  • 45. 2. Risk Acceptance Criteria Developing a set of risk acceptance criteria based on the goals and objectives of the organization is important to have as an integral part of the ISMS. This assists in the development of risk treatment plans. Developing a list of risk acceptance criteria sets the groundwork for determining what risks the organization is capable of accepting, in general terms. This is probably done once when developing the ISMS, but may need to be adjusted for each risk assessment performed at the time of risk treatment plan development. Risk acceptance criteria should be developed and specified. Risk acceptance criteria often depend on the organization's policies, goals, objectives, and the interests of stakeholders.
  • 46. 2. Risk Acceptance Criteria An organization should define its own scales for levels of risk acceptance. The following should be considered during development: a) Risk acceptance criteria may include multiple thresholds, with a desired target level of risk, but provision for senior managers to accept risks above this level under defined circumstances. b) Different risk acceptance criteria may apply to different classes of risk; e.g., risks that could result in non-compliance with regulations or laws may not be accepted, while acceptance of high risks may be allowed if this is specified as a contractual requirement. c) Risk acceptance criteria may include requirements for future additional treatment; e.g., a risk may be accepted if there is approval and commitment to take action to reduce it to an acceptable level within a defined time period. d) Risk acceptance criteria may differ according to how long the risk is expected to exist; e.g., the risk may be associated with a temporary or short-term activity.
  • 47. 2. Risk Acceptance Criteria In developing the risk acceptance criteria, the following should be considered: a) Business criteria b) Legal and regulatory aspects c) Operational considerations d) Technological aspects e) Financial considerations f) Social and humanitarian factors Place the organization’s generalized risk acceptance criteria from the ISMS. Consider whether there are specific risk acceptance criteria for the risk assessment under consideration.
  • 48. 3. Calculate Risk Stage 1 a) Identify each asset (e.g., information, application, etc.) and scope the asset (e.g., enterprise, business unit, etc.). Describe the Asset(s) and Critical Attributes under Consideration a) Identification and description of the assets under consideration during a risk assessment is critical. b) Identify the asset(s) under consideration during this risk assessment.
  • 49. 3. Calculate Risk Stage 1 Describe the Threat(s) to the Asset(s) under Consideration a) For each asset, identify the threat agent(s) (e.g., insiders such as employees, contract workers; outsiders such as spies, thieves, competitors). b) For each threat agent describe the frequency with which threat agents may come into contact with the asset(s) under consideration. c) For each threat agent, estimate the probability that they will act against the asset(s). d) Define the potential action and describe the threat(s).
  • 50. 3. Calculate Risk Stage 2 a) Estimate the Loss Event Frequency (LEF). b) The Loss Event Frequency (LEF) considers the following factors: i. Threat Event Frequency (TEF), ii. Threat Capability (TCap), iii. Control Strength (CS), and iv. Vulnerability (Vuln). Estimate the Probable Threat Event Frequency (TEF) a) Estimate the probable Threat Event Frequency (TEF).
  • 51. 3. Calculate Risk Stage 2 Estimate the Probable Threat Event Frequency (TEF) a) The following table shows the ratings for the values of the Threat Event Frequency (TEF).
  • 52. 3. Calculate Risk Stage 2 Estimate the Threat Capability (TCap) a) Estimate the Threat Capability (TCap), which is the capability that the threat community has to act against the asset using a specific threat. b) The following table shows the ratings for the values of Threat Capability (TCap).
  • 53. 3. Calculate Risk Stage 2 Estimate the Control Strength (CS) a) Estimate the Control Strength (CS), which represents the probability that the organization’s controls will be able to withstand a baseline measure of force. b) The following table shows the ratings for the values of Control Strength (CS).
  • 54. 3. Calculate Risk Stage 2 Derive the Vulnerability (Vuln) a) Derive the Vulnerability (Vuln) using the vulnerability matrix below. b) Locate the intersection of Threat Capability (TCap) and Control Strength (CS). Control Strength (CS) Vulnerability (Vuln)
  • 55. 3. Calculate Risk Stage 2 Derive Loss Event Frequency (LEF) a) Derive the Loss Event Frequency (LEF) using the Loss Event Frequency (LEF) matrix below. b) Locate the intersection of Threat Event Frequency (TEF) and Vulnerability (Vuln) to derive Loss Event Frequency (LEF) Vulnerability(Vuln) Loss Event Frequency (LEF)
  • 56. 3. Calculate Risk Stage 3 a) Evaluate the Probable Loss Magnitude (PLM). b) Determine the probable impact of the loss. This is identified as the Probable Loss Magnitude (PLM). This includes estimating the worst-case scenario as well as the most probable scenario(s) of loss. Estimate the Worst-Case Loss and Probable Loss Magnitude (PLM) a) Use the following values to determine the magnitudes for the worst-case scenarios and Probably Loss Magnitude (PLM) for each appropriate threat action and loss form. The range values should be adjusted appropriately to meet the needs of the organization.
  • 57. 3. Calculate Risk Stage 4 a) Derive and articulate risk. Derive the Risk Magnitude a) Once we have estimates of Loss Event Frequency (LEF) and Probable Loss Magnitude (PLM), we are able to derive the risk value from the risk matrix below. b) The following matrix is used to derive risk using Probable Loss Magnitude (PLM) and Loss Event Frequency (LEF). c) Identify the intersection of the Probable Loss Magnitude (PLM) and Loss Event Frequency (LEF). Risk Loss Event Frequency (LEF) Key Risk Values
  • 58. 3. Calculate Risk Stage 4 Articulate the Real Risk a) The real challenge has to do with articulating this risk value to the decision-makers. b) This can be performed using the information gathered through this entire process using the ISO/IEC 27005 communication framework. c) A major consideration of communicating risk levels is the association of qualitative labelling with a tendency to equate ―high-risk‖ with ―unacceptable‖, and ―low-risk with ―acceptable. d) In fact, in some circumstances high-risk is entirely acceptable (e.g., in cases where the potential for reward outweighs the risk). e) In other situations, a relatively low-risk condition may be unacceptable, particularly if the exposure is systemic within an organization. Including more specific information regarding Loss Event Frequency (LEF) and Probable Loss Magnitude (PLM) can help to reduce the bias associated with qualitative risk labels. f) In summary, risk articulation must meet the needs of the decision-makers. When using qualitative labels for range values, it is imperative to ensure that management agrees with the criteria for each range/level.
  • 59. 4. Develop an Information Security Risk Communication Plan The four options available for risk treatment are: a) Risk Reduction – Actions taken to lessen the probability, negative consequences, or both, associated with a risk. b) Risk Avoidance – Decision not to become involved in, or action to withdraw from, a risk situation. c) Risk Transfer – Sharing with another party the burden of loss or benefit of gain, for a risk. d) Risk Retention – Acceptance of the burden of loss or benefit of gain from a particular risk. The four options for risk treatment are not mutually-exclusive. Sometimes the organization can benefit substantially by a combination of options. Some risk treatments can effectively address more than one risk. A risk treatment plan should be defined which clearly identifies the priority ordering in which individual risk treatments should be implemented and their timeframes.
  • 60. 5. Determine the Appropriate Information Risk Treatment Plan a) The steps involved in risk communication is a bi-directional process designed to achieve agreement on how to manage risks by exchanging and/or sharing information about risk between the decision-makers and other stakeholders. b) Effective communication among stakeholders is important since this may have a significant impact on decisions that must be made. c) Communication will ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and why particular actions are required. d) Perceptions of risk can vary due to differences in assumptions, concepts, and the needs, issues, and concerns of stakeholders as they relate to risk or the issues under discussion. e) Stakeholders are likely to make judgments on the acceptability of risk based on their perception of risk. f) This is especially important to ensure that the stakeholders’ perceptions of risk, as well as their perceptions of benefits, can be identified and documented and the underlying reasons clearly understood and addressed.
  • 61. 6. Describe the Information Security Risk Monitoring and Review Plan Risks are not static. Threats, vulnerabilities, likelihood, or consequences may change abruptly without any indication. Therefore, constant monitoring is necessary to detect these changes. Organizations should ensure that the following are continually monitored: a) New assets that have been included in the risk management scope b) Necessary modification of asset values; e.g., due to changed business requirements c) New threats that could be active both inside and outside the organization and that have not been assessed d) Possibility that new or increased vulnerabilities could allow threats to exploit these new or changed vulnerabilities e) Identified vulnerabilities to determine those becoming exposed to new or re-emerging threats f) Increased impact or consequences of assessed threats, vulnerabilities, and risks in aggregation resulting in an unacceptable level of risk g) Information security incidents New threats, vulnerabilities, or changes in probability or consequences can increase risks previously assessed as low. Review of low and accepted risks should consider each risk separately, and all such risks as an aggregate as well, to assess their potential accumulated impact if risks do not fall into the low or acceptable risk category.