Rating: 0 out of 5 stars
0 ratings
Ebook215 pages2 hours
Information Security Risk Management for ISO 27001/ISO 27002, third edition
By Alan Calder and Steve Watkins
Rating: 4 out of 5 stars
4/5
()
About this ebook
Protect your information assets with effective risk management
In today’s information economy, the development, exploitation and protection of information and associated assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information and associated assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility.
Information security management system requirementsISO 27000, which provides an overview for the family of international standards for information security, states that “An organisation needs to undertake the following steps in establishing, monitoring, maintaining and improving its ISMS […] assess information security risks and treat information security risks”. The requirements for an ISMS are specified in ISO 27001. Under this standard, a risk assessment must be carried out to inform the selection of security controls, making risk assessment the core competence of information security management and a critical corporate discipline.
Plan and carry out a risk assessment to protect your informationInformation Security Risk Management for ISO 27001 / ISO 27002:
- Provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO 27001.
- Draws on national and international best practice around risk assessment, including BS 7799-3:2017 (BS 7799-3).
- Covers key topics such as risk assessment methodologies, risk management objectives, information security policy and scoping, threats and vulnerabilities, risk treatment and selection of controls.
- Includes advice on choosing risk assessment software.
Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework for their organisation and deliver real, bottom-line business benefits.
Buy your copy today!About the authors
Alan Calder is the Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted for clients in the UK and abroad, and is a regular media commentator and speaker.
Steve Watkins is an executive director at GRC International Group plc. He is a contracted technical assessor for UKAS – advising on its assessments of certification bodies offering ISMS/ISO 27001 and ITSMS/ISO 20000-1 accredited certification. He is a member of ISO/IEC JTC 1/SC 27, the international technical committee responsible for information security, cyber security and privacy standards, and chairs the UK National Standards Body’s technical committee IST/33 (information security, cyber security and privacy protection) that mirrors it. Steve was an active member of IST/33/-/6, which developed BS 7799-3.
Author
Alan Calder
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Read more from Alan Calder
PCI DSS: A pocket guide, sixth edition ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5Risk Assessment for Asset Owners Rating: 4 out of 5 stars4/5IT Governance – An international guide to data security and ISO 27001/ISO 27002, Eighth edition Rating: 5 out of 5 stars5/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5IT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5PCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsSelling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide Rating: 2 out of 5 stars2/5EU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO 27001:2022 Implementation Overview Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsNine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCompliance for Green IT: A Pocket Guide Rating: 5 out of 5 stars5/5The Green Office: A Business Guide Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide - 3rd edition Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5IT Regulatory Compliance in the UK Rating: 0 out of 5 stars0 ratingsImplementing Information Security based on ISO 27001/ISO 27002 Rating: 0 out of 5 stars0 ratingsIT Governance: Guidelines for Directors Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for operators of essential services Rating: 0 out of 5 stars0 ratingsThreat 2.0: Security and Compliance for Web 2.0 Sites Rating: 0 out of 5 stars0 ratingsHow to Use Web 2.0 and Social Networking Sites Securely: A Pocket Guide Rating: 0 out of 5 stars0 ratingsThe Green Agenda: A Business Guide Rating: 0 out of 5 stars0 ratings
Related to Information Security Risk Management for ISO 27001/ISO 27002, third edition
Related ebooks
Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5ISO27001/ISO27002:2013: A Pocket Guide Rating: 4 out of 5 stars4/5Application security in the ISO27001:2013 Environment Rating: 4 out of 5 stars4/5An Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5ISO 27001 Controls – A guide to implementing and auditing Rating: 5 out of 5 stars5/5Fundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Business Practical Security Rating: 0 out of 5 stars0 ratingsIT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security Rating: 0 out of 5 stars0 ratingsISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5Information Risk Management: A practitioner's guide Rating: 5 out of 5 stars5/5Managing Cybersecurity Risk: How Directors and Corporate Officers Can Protect their Businesses Rating: 5 out of 5 stars5/5Risk Management and Information Systems Control Rating: 5 out of 5 stars5/5Nine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 3 out of 5 stars3/5ISO27001:2013 Assessments Without Tears Rating: 3 out of 5 stars3/5The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5Selling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsManaging Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsAssessing Information Security: Strategies, Tactics, Logic and Framework Rating: 5 out of 5 stars5/5ISO/IEC 27001:2022: An introduction to information security and the ISMS standard Rating: 5 out of 5 stars5/5Application Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsIT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5CISA Certified Information Systems Auditor All-in-One Exam Guide, Third Edition Rating: 5 out of 5 stars5/5The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Information Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5ISO/IEC 38500: A pocket guide, second edition Rating: 4 out of 5 stars4/5
Computers For You
The Invisible Rainbow: A History of Electricity and Life Rating: 5 out of 5 stars5/5Elon Musk Rating: 4 out of 5 stars4/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 4 out of 5 stars4/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5Uncanny Valley: A Memoir Rating: 4 out of 5 stars4/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution Rating: 4 out of 5 stars4/5Standard Deviations: Flawed Assumptions, Tortured Data, and Other Ways to Lie with Statistics Rating: 4 out of 5 stars4/5Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 5 out of 5 stars5/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 4 out of 5 stars4/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5An Ultimate Guide to Kali Linux for Beginners Rating: 3 out of 5 stars3/5Learning the Chess Openings Rating: 5 out of 5 stars5/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5The Data Warehouse Toolkit: The Definitive Guide to Dimensional Modeling Rating: 0 out of 5 stars0 ratingsCompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5
Related podcast episodes
Is enhanced hardware security the answer to ransomware? [CyberWire-X] 100% found this document usefulcybersecurity maturity model certification (CMMC) (noun) [Word Notes] 0% found this document usefulBig breaches (and how to avoid them): with Neil Daswani 0% found this document usefulCyberWire Pro Interview Selects: Jaclyn Miller from NTT, Ltd. 0% found this document usefulCybersecurity Trends and Practices 0% found this document usefulCybersecurity and Hacking with Kevin Mitnick 0% found this document useful#63 Epiq's Information Security Journey: With guest Dinesh Sharma 0% found this document useful080: SMS Pt 1 - Safety Management System Defined: What is a Safety Management System (SMS)? 0% found this document useful083: SMS Pt 4 - What Does ISO 45001 Require?: Safety Management System overview 0% found this document usefulNeed to know: Data Privacy vs. Public Health: COVID-19 Subseries 0% found this document useful
Related articles
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster” PC Pro MagazineUNLIMITED
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster”
Apr 10, 2022
6 min readCyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL Inc.UNLIMITED
Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL
Sep 21, 2016
Data breaches can have far-reaching repercussions; protecting against them is a companywide mandate
2 min readCybersecurity: It Might Be The Small Stuff That Gets You NZBusiness and ManagementUNLIMITED
Cybersecurity: It Might Be The Small Stuff That Gets You
Jan 16, 2020
2 min readEverything You May Have Wanted to Know About Ethical/Whitehat Hackers TechfastlyUNLIMITED
Everything You May Have Wanted to Know About Ethical/Whitehat Hackers
Oct 21, 2020
5 min readHow to Protect Your Small Business Against a Cyber Attack EntrepreneurUNLIMITED
How to Protect Your Small Business Against a Cyber Attack
Feb 1, 2013
8 min readVulnerability Assessments PC Pro MagazineUNLIMITED
Vulnerability Assessments
Jan 7, 2021
3 min readManaging the Risks of Digital Lending Business TodayUNLIMITED
Managing the Risks of Digital Lending
Feb 18, 2022
TECHNOLOGY HAS BEEN the crux of the Indian banking system and the advent of Covid-19 has fuelled the shift of business models from ‘physical’ to ‘digital’. The journey of innovation, which started with internet banking and digital means of payments,
6 min readA Practical Guide To Kick-starting Your Cyber Supply Chain Risk Programme The European Business ReviewUNLIMITED
A Practical Guide To Kick-starting Your Cyber Supply Chain Risk Programme
Mar 27, 2024
5 min readHow Do You Know You Are Okay? NZBusiness and ManagementUNLIMITED
How Do You Know You Are Okay?
May 27, 2019
2 min readWhy Leaders Need To Take A Risk-based Approach To Data Security NZBusiness and ManagementUNLIMITED
Why Leaders Need To Take A Risk-based Approach To Data Security
Jul 21, 2021
5 min readApproaching Risk from The Boardroom The European Business ReviewUNLIMITED
Approaching Risk from The Boardroom
Dec 2, 2022
Looking into risk from the perspective of the boardroom demands a note on the concept of corporate governance itself and the resulting implications. Shareholders are the principals and need to have their rights protected; management is nominated and
7 min read“The Prime Threats To Businesses Continue To Be The Same Threats We Have Seen For The Past Decade” PC Pro MagazineUNLIMITED
“The Prime Threats To Businesses Continue To Be The Same Threats We Have Seen For The Past Decade”
Jan 6, 2022
5 min readDOUBLE MATERIALITY: Realising the Value of a Comprehensive Information Management System The European Business ReviewUNLIMITED
DOUBLE MATERIALITY: Realising the Value of a Comprehensive Information Management System
May 31, 2023
4 min readESG RISK: What’s on Your Radar? Rotman ManagementUNLIMITED
ESG RISK: What’s on Your Radar?
Jan 1, 2024
12 min readGlobal Cybersecurity Guide For Directors NZBusiness and ManagementUNLIMITED
Global Cybersecurity Guide For Directors
Apr 25, 2021
Cybersecurity failure is a “clear and present danger” and critical global threat, yet responses from board directors have been fragmented, risks not fully understood and collaboration between industries limited, according to the World Economic Forum.
2 min readIndustry Assurance Schemes Australasian Transport News (ATN)UNLIMITED
Industry Assurance Schemes
Dec 16, 2019
4 min readModels To Scale Esg Metrics And Data The European Business ReviewUNLIMITED
Models To Scale Esg Metrics And Data
May 28, 2024
6 min readBridging The Silos To Better Manage risks The European Business ReviewUNLIMITED
Bridging The Silos To Better Manage risks
Jul 26, 2024
6 min readDIGITAL CROWN JEWELS: How to Protect Your Data Assets Rotman ManagementUNLIMITED
DIGITAL CROWN JEWELS: How to Protect Your Data Assets
Sep 1, 2023
10 min readA Framework For Risk Governance The European Business ReviewUNLIMITED
A Framework For Risk Governance
Oct 2, 2023
11 min readEverything You Should Know About Cybersecurity Automation TechfastlyUNLIMITED
Everything You Should Know About Cybersecurity Automation
Jun 1, 2021
6 min readPrivacy: The Price Of Trust Inc.UNLIMITED
Privacy: The Price Of Trust
Aug 17, 2021
How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend
1 min readThe Need To Rethink Risk Governance The European Business ReviewUNLIMITED
The Need To Rethink Risk Governance
Jul 26, 2021
5 min readThe Risks AdNewsUNLIMITED
The Risks
Aug 5, 2019
The ASX Corporate Governance Council says those who believe they don’t have any material exposure to environmental or social risks should consider carefully their basis for that belief and to benchmark against their peers. “One particular source of e
2 min readMaking A Corrosion Strategy Facility ManagementUNLIMITED
Making A Corrosion Strategy
Feb 25, 2018
The degradation of private and public assets and infrastructure continues to have a major economic impact on industry and the wider community. In Australia, the yearly cost of asset maintenance is estimated to be approximately $32 billion, with $8 bi
4 min readAI And Digital Resources In Fintech: Creating An Evolutionary Analytic Platform For “Risk” Estimation The European Business ReviewUNLIMITED
AI And Digital Resources In Fintech: Creating An Evolutionary Analytic Platform For “Risk” Estimation
Sep 20, 2018
5 min readThe CYBERSECURITY CHALLENGE in a High Digital Density World The European Business ReviewUNLIMITED
The CYBERSECURITY CHALLENGE in a High Digital Density World
Feb 4, 2019
17 min readAre You Prepared To Take The Risk? The European Business ReviewUNLIMITED
Are You Prepared To Take The Risk?
May 25, 2021
Risk is a fact of life for businesses of all kinds – large and small. If we’re lucky, we might see it coming, so that we have an opportunity to formulate a coping strategy. But how can managers and employees be best prepared to deal with the unexpect
9 min readBRIDGING THE GAP BETWEEN IT AND SECURITY TEAMS: Four Tips for Better Collaboration The European Business ReviewUNLIMITED
BRIDGING THE GAP BETWEEN IT AND SECURITY TEAMS: Four Tips for Better Collaboration
Jul 31, 2023
In today's corporate landscape, the relationship between Information Technology (IT) and security departments often mirrors a tangled web, marked by conflicting objectives and strained interactions. Yet, as digitalisation accelerates across all secto
5 min readThink Safe Earthmovers & ExcavatorsUNLIMITED
Think Safe
Oct 17, 2021
3 min read
Reviews for Information Security Risk Management for ISO 27001/ISO 27002, third edition
Rating: 4 out of 5 stars
4/5
3 ratings0 reviews
Book preview
Information Security Risk Management for ISO 27001/ISO 27002, third edition - Alan Calder
Information Security Risk Management
for
ISO 27001 / ISO 27002
Information Security
Risk Management for
ISO 27001 / ISO 27002
Third edition
ALAN CALDER
STEVE G WATKINS
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:
IT Governance Publishing Ltd
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely, Cambridgeshire
CB7 4EA
United Kingdom
www.itgovernancepublishing.co.uk
© IT Governance Ltd, 2007, 2010, 2019.
The authors have asserted their rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the authors of this work.
First published in the United Kingdom in 2007 (as Information Security Risk Management for ISO 27001 / ISO17799) by IT Governance Publishing.
Second edition published in the United Kingdom in 2010 by IT Governance Publishing
ISBN 978-1-84928-149-2
Third edition published in the United Kingdom in 2019 by IT Governance Publishing
ISBN: 978-1-78778-138-2
ABOUT THE AUTHORS
Alan Calder founded IT Governance Limited in 2002 and began working full time for the company in 2007. He is now Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Prior to this, Alan had a number of roles including CEO of Business Link London City Partners from 1995 to 1998 (a government agency focused on helping growing businesses to develop), CEO of Focus Central London from 1998 to 2001 (a training and enterprise council), CEO of Wide Learning from 2001 to 2003 (a supplier of e-learning) and the Outsourced Training Company (2005). Alan was also chairman of CEME (a public private sector skills partnership) from 2006 to 2011.
Alan is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). Alan has consulted for clients in the UK and abroad, and is a regular media commentator and speaker.
Steve G Watkins is an executive director at GRC International Group plc. He is a contracted technical assessor for UKAS – advising on its assessments of certification bodies offering ISMS/ISO 27001 and ITSMS/ISO 20000-1 accredited certification and also undertakes information security assessments of forensic science laboratories seeking accreditation to the Forensic Science Regulator’s codes of practice and conduct.
He is a member of ISO/IEC JTC 1/SC 27, the international technical committee responsible for information security, cyber security and privacy standards, and chairs the UK National Standards Body’s technical committee IST/33 (information security, cyber security and privacy protection) that mirrors it. Steve is also involved with technical committees: RM/1 (risk management) and RM/1/-/3 (responsible for BS 31111, providing guidance for boards and senior management on cyber risk and resilience); IST/060/02 (IT service management) and IDT/001/0-/04 (data protection).
Steve was an active member of IST/33/-/6, which developed BS 7799-3.
Alan Calder and Steve G Watkins have written a number of other books together, including IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (seventh edition published by Kogan Page, 2019).
A list of all their publications can be found at the back of this book.
CONTENTS
Introduction
Chapter 1: Risk management
Risk management: two phases
Enterprise risk management
Chapter 2: Risk assessment methodologies
Publicly available risk assessment standards
Qualitative versus quantitative
Quantitative risk analysis
Qualitative risk analysis
Chapter 3: Risk management objectives
Risk acceptance or tolerance
Information security risk management objectives
Risk management and process models
Chapter 4: Roles and responsibilities
Senior management commitment
The (lead) risk assessor
Other roles and responsibilities
Chapter 5: Risk assessment software
Gap analysis tools
Vulnerability assessment tools
Penetration testing
Risk assessment tools
Risk assessment tool descriptions
Chapter 6: Information security policy and scoping
Information security policy
Scope of the ISMS
Chapter 7: The ISO 27001 risk assessment
Overview of the risk assessment process
Chapter 8: Information assets
Assets within the scope
Grouping of assets
Asset dependencies
Asset owners
Sensitivity classification
Are vendors assets?
What about duplicate copies and backups?
Identification of existing controls
Chapter 9: Threats and vulnerabilities
Threats
Vulnerabilities
Technical vulnerabilities
Chapter 10: Scenario-based risk assessment
Chapter 11: Impact, including asset valuation
Impacts
Defining impact
Estimating impact
The asset valuation table
Business, legal and contractual impact values
Reputational damage
Chapter 12: Likelihood
Risk analysis
Information to support assessments
Chapter 13: Risk level
The risk scale
Boundary calculations
Mid-point calculations
Chapter 14: Risk treatment and the selection of controls
Types of controls
Risk assessment and existing controls
Residual risk
Risk sharing
Optimising the solution
Chapter 15: The Statement of Applicability
Drafting the Statement of Applicability
Chapter 16: The gap analysis and risk treatment plan
Gap analysis
Risk treatment plan
Chapter 17: Repeating and reviewing the risk assessment
Appendix 1: vsRisk Cloud
Appendix 2: ISO 27001 implementation resources
Appendix 3: Books by the same authors
Further reading
INTRODUCTION
In today’s information economy, the development, exploitation and protection of information and associated assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information and associated assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility. An information security management system (ISMS)that provides a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives
¹ has become a critical corporate discipline, alongside marketing, sales, HR and financial management.
A key corporate governance objective is to ensure that the organisation has an appropriate balance of risk and reward in its business operations and, as a consequence, enterprise risk management (ERM) increasingly provides a framework within which organisations can assess and manage risks in their business plan. The recognition of substantial, strategic risk in information and communication technologies has led to the development of IT governance.²
The changing global economy, together with recent corporate and IT governance developments, all provide the context within which organisations have to assess risks to the information assets on which their organisations, and the delivery of their business plan objectives, depend. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment process in relation to identified risks and specific information assets.
Risk assessment is, therefore, the core competence of information security management.
The Introduction (Clause 0)of ISO/IEC 27002:2013 (ISO 27002), the international code of best practice for ISMSs, supports this business- and risk-oriented approach: Resources employed in implementing controls need to be balanced against the business harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.
³
A growing number of organisations are adopting this approach to the management of risk. A number of national or proprietary standards that deal with information security risk management have emerged over the years. They all have much in common. ISO 27001 is the international standard that sets out the requirements for an ISMS and provides an approach to risk management consistent with all other guidance; indeed many of the other frameworks that are available are based on ISO 27001. This approach is also appropriate for organisations complying with the Payment Card Industry Data Security Standard (PCI DSS), and supports compliance with other legal and regulatory requirements, such as the EU’s General Data Protection Regulation (GDPR) and Directive on security of network and information systems (NIS Directive).
Of course, every organisation needs to determine its criteria for accepting risks, and identify the levels of risk it will accept. It is a truism to point out that there is a relationship between the levels of risk and reward in any business. Most businesses, particularly those subject to the Sarbanes-Oxley Act of 2002 and, in the UK, the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and the UK Corporate Governance Code, will want to be very clear about which risks they will accept and which they won’t, the extent to which they will accept risks and how they wish to control them. Management needs to specify its approach, in general and in particular, so that the business can be managed within that context. As we have indicated, risk assessment, as an activity, should be approached within the context of the organisation’s broader ERM framework.
All too often, organisations enter into risk management without considering that the practice must be part of something larger. A risk assessment is not an end in itself: a risk assessment must provide outputs that are useful to the organisation. The goal of a risk assessment methodology must be to effect the organisation’s ISMS.
While ISO 27002 is a code of practice, ISO/IEC 27001:2013 (ISO 27001) is a specification that sets out the requirements for an ISMS. ISO 27001 is explicit in requiring that an information security risk assessment is used to inform the selection of controls.⁴ Risk assessment, as we’ve said, is therefore the core competence of information security management.
Organisations that design and implement an ISMS in line with ISO 27001 can have it assessed by a third-party certification body and if, after audit, it is found to be in line with ISO 27001, an accredited certificate of conformity can be issued.⁵
This standard is increasingly seen as offering a practical solution to the growing range of information-related regulatory requirements, as well as helping organisations to more cost-effectively counter the increasingly sophisticated and varied range of information security threats in the modern information economy.⁶ As a result, a rapidly growing number of companies around the world are seeking certification to ISO 27001, providing a means of demonstrating to clients and other stakeholders their commitment and intent with regard to information security.
An ISMS developed and based on risk acceptance criteria, and using third-party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. Such an ISMS offers the opportunity to define and monitor service levels internally, as well as in contractor/partner organisations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.
It is becoming increasingly common for ISO 27001 certification to be a prerequisite in service specification procurement documents and,
Enjoying the preview?
Page 1 of 1