Dr. Michael Redmond is the CEO and lead consultant of Redmond Worldwide, an international consulting corporation celebrating its 10th year. She has certifications in ISO 22301 business continuity management, ISO 27001 information security management, ISO 27035 security incident response, and ISO 21500 project management. Dr. Redmond provides consulting services to help organizations implement information security standards and risk management frameworks and respond to security incidents. She emphasizes the importance of protecting personal information and assessing organizational vulnerabilities to cyber attacks.
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
How to apply ISO 27001 using a top down, risk-based approach
1. ISO 27001 ERM Risk Redmond
Dr. Michael C. Redmond, PhD
MBCP, FBCI, CEM,MBA
ISO 22301 BUSINESS CONTINUITY MANAGEMENT SYSTEMS
ISO 27001 INFORMATION SECURITY MANAGEMENT
ISO 27035 SECURITY INCIDENT RESPONSE
ISO 21500 PROJECT MANAGEMENT
ISO 41001 ENVIRONMENTAL MANAGEMENT (PENDING)
2. Dr. Michael Redmond
Redmond Worldwide
Dr. Michael Redmond is CEO and Lead Consultant of Redmond Worldwide an International Consulting
Corporation which is celebrating its 10th successful year. She is an International Consultant, Speaker and
Author. Dr. Redmond’s Certifications include: 2 Master Level Certifications Business Continuity.
917-882-5453
msmichaelredmond@redmondworldwide.comwww.redmondworldwide.com
https://www.linkedin.com/in/michaelredmond2008
5. Cyber Attacks
More and more attacks are happening
every day, resulting in loss of reputation,
fines, legal liabilities and so much more.
It is not IF you will be the potential
victim of a Cyber Attack but When?
5
6. Risk Assessment using ISO 27001 ISMS
framework
Information Security
Management System
Legal, Physical and Security
/Cyber and Technical
Controls
Organization should design,
implement and maintain a
policies, processes and
systems to manage risks to its
information assets
Ensuring acceptable levels of
information security risk
6
7. Version 2005
The 2005 Version ISO/IEC
27001:2005 incorporated the
"Plan-Do-Check-Act" (PDCA),
or Deming cycle, approach:
• Plan - designing the ISMS, assessing information
security risks and selecting appropriate controls.
• Do - involves implementing and operating the
controls.
• Check - objective is to review and evaluate the
performance (efficiency and effectiveness) of the
ISMS.
• Act - changes are made where necessary to bring
the ISMS back to peak performance.
7
8. Version 2013
ISO/IEC 27001:2013,
does not emphasise the
Deming cycle anymore.
•The ISMS user is free to
use any management
process (improvement)
approach like PDCA
or Six Sigmas DMAIC
8
9. Security Risk Factors
Security Depends
On People More
Than On
Technology
Employees Are A
Far Greater Threat
To Information
Security Than
Outsiders
Security Is Like A
Chain. It Is Only As
Strong As Its
Weakest Link
The Degree Of
Security Depends
On Three Factors:
•The Risk Appetite
•The Functionality Of
The System
•The Costs You Are
Prepared To Pay
Security Is Not A
Status Or A
Snapshot But a
Continuous
Process
9
10. Risk Framework
Scope: Understand what it is that you need to protect
Risk Management: Assess risks and develop appropriate
Risk Treatment Plans to mitigate risks
Assess: Monitor and assess to validate efficacy and
continuously improve
Governance: Senior Management needs to govern the Risk
Management process, most notably establishing risk
tolerance/acceptance
10
11. They Work Together
Risk assessment is
one of the key
requirements of ISO
27001 compliance
ISO 27005 is
considered one of
the best risk
assessment
methodologies
available today and is
widely used by many
organizations in
achieving compliance
–with ISO 27001
Other
standards such
as PCI, HIPAA,
etc
11
12. Identify the assets, consider the threats that could
compromise those assets, and estimate the damage
that the realization of any threat could pose
12
13. What risk would Losing trade secrets pose
to your company's financial well being
13
14. Identify the various entities that pose threats to your
company's well being –
• hackers
• disgruntled employees
• careless employees
• competitors
14
15. Identify the assets that you are trying to
protect with special attention to those
that are most critical
15
17. What are the weakest links in
your systems and processes
17
18. • Source Code
• Engineering Drawings
• Patent Applications
• Customer Lists
• Contracts
• Admin Passwords
• Data Centers
• UPS Devices
• Firewalls
• Payroll Records
Make a
list of
possible
vulnerable
targets
18
19. Next Step
Assign numeric values
to those risks
Calculated risk values
provide a basis for
determining how
much time and money
to invest in protecting
19
20. Risk and Impact
Likelihood (probability)
is a measure of how
likely a loss is to happen
Impact (severity) is how
much damage will be
done to the organization
if the loss occurs
20
21. FMEA
Failure mode effects
analysis (FMEA) measure
of the effectiveness of
current controls
Formula is:
• likelihood that a threat is acted on
(independent of your precautions
against it) times the anticipated
damage (impact) times the
effectiveness of your efforts in
mitigating the risks (controls).
21