ISO/IEC 27005 Information technology -- Security techniques -- Information security risk management (draft)
This standard will be a revision of the Management of information and communications technology security (MICTS) standards ISO/IEC TR 13335-3:1998 plus ISO/IEC TR 13335-4:2000.
This standard is currently at FDIS stage and is likely to be published during 2008.
The scope of ISO/IEC 27005 is to: “provide guidelines for information security risk management. This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.”
Some personal comments on the FDIS version of 27005
[These are just my personal perspective on the final draft international standard. They inevitably reflect my own prejudices and limited experience with information security risk management.]
At around 60 sides, ISO/IEC 27005 will be a heavyweight standard although the main part is just 24 pages, the rest being mostly annexes with examples and further information for users. There is quite a lot of meat on the bones, reflecting the complexities in this area.
Although the standard defines risk as “a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event”, the risk analysis process outlined in the standard indicates the need to identify information assets at risk, the potential threats or threat sources, the potential vulnerabilities and the potential consequences (impacts) if risks materialize. Examples of threats, vulnerabilities and impacts are tabulated in the annexes; although incomplete, these may prove useful for brainstorming risks relating to information assets under evaluation. It is clearly implied that automated system security vulnerability assessment tools are insufficient for risk analysis without taking into account other vulnerabilities plus the threats and impacts.
The standard will include a section and annex on defining the scope and boundaries of information security risk management which should, I guess, be no less than the scope of the ISMS.
The draft standard doesn't specify, recommend or even name any specific method (such as those listed below and in the ISO27k FAQ), although it does specify a structured, systematic and rigorous method of analyzing risks through to creating the risk treatment plan.
The standard will deliberately remain agnostic about quantitative and qualitative risk assessment methods, essentially recommending that users choose whatever methods suit them best, and noting that they are both methods of estimating, not defining, risks. Note the plural - 'methods' - the implication being that different methods might be used for, say, a high-level risk assessment followed by more in-depth risk analysis on the high risk areas. The pros and cons of quantitative vs qualitative methods do get a mention.
The steps in the process are (mostly) defined to the level of inputs -> actions -> outputs, with additional “implementation guidance” in similar style to ISO/IEC 27002.
The standard will incorporate some iterative elements e.g. if the results of an assessment are unsatisfactory, you loop-back to the inputs and have another run through. For those of us who think in pictures, there are useful figures giving an overview of the whole process and more detail on the risk assessment -> risk treatment -> residual risk bit.
Further reading
ISO/IEC 27005 draws upon standards such BS7799-3, AS4360, ISO Guide 73, ISO 31000 ...
BS 7799 Part 3
BS 7799-3:2006 - information security management systems - guidelines for information security risk management is a British Standard released in March 2006. This is the planned third part of the original BS 7799 family that offers guidance on the risk management aspects of ISO/IEC 27001, namely:
Assessing/evaluating risks; Implementing appropriate controls; Monitoring and reviewing risks on an ongoing or periodic basis; and Maintaining and continuously improving the system of controls.
BS 7799-3 seeks to address information security risks within the wider context of business risks. Linking information security with commercial objectives is a good way to counter the traditional rather negative view of security controls: controls reduce risk and thereby not only reduce potential losses but also gives management the confidence to expand in ways that otherwise might be avoided.
According to a British Standards Institute newsletter, “BS 7799-3 promotes the adoption of a process approach for assessing risks, treating risks, and ongoing risk monitoring, risk reviews and re-assessments. A process approach encourages its users to emphasize the importance of:
Understanding business information security requirements and the need to establish policy and objectives for information security; Selecting, implementing and operating controls in the context of managing an organization's overall business risks; Monitoring and reviewing the performance and effectiveness of the Information Security Management System (ISMS) to manage the business risks; Continual improvement based on objective risk measurement.”
BS7799-3:2006 is one of the possible risk analysis methods suggested in ISO/IEC 27005.
AS/NZS 4360
AS/NZS 4360:2004 is a well-respected risk management standard published jointly by Australia Standards and Standards New Zealand and widely used around the world. ISO/IEC 27005 will incorporate a flow chart on risk management and various other concepts from AS 4360. HB 436:2004 risk management guidelines accompany and expand on AS/NZS 4360. HB 436 includes the text of the standard and is available as a package deal along with a separate full copy of AS/NZS 4360.
ISO Guide 73 Risk Management - Vocabulary - Guidelines for Use in Standards
This guide, published in 2002, provides generic but formalized definitions of risk management terms. It is intended to assist those preparing or updating risk management standards, promoting a coherent approach to the description of risk management activities and the use of risk management terminology - in other words, it is not meant to be a guide to risk management practices so much as to clarify the terms used in ISO and ISO/IEC standards.
It is conceivable that ISO/IEC 27000 will be published before ISO/IEC 27005 in which case information security risk management terms may well be referenced from ISO/IEC 27000.
Other risk analysis methods and tools to consider
CRAMM: “CCTA Risk Assessment and Management Methodology” was originally developed for UK Government use but is now owned by Siemens; ISO 31000 is a draft standard providing guidance on the principles and implementation of risk management in general (not IT or information security specific). It was also developed from AS/NZS 4360; ISO TR 13335: this multipartite ISO Technical Report was a precursor to ISO/IEC 27005; MAGERIT “Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion” is available in Spanish and English; Mehari: a risk analysis and management method developed by CLUSIF (Club de la Sécurité de l'Information Français); Microsoft’s security risk management guide is a 129-page document plus a set of Excel worksheets and an accompanying tool. It combines quantitative and qualitative analysis, return on security investment (ROSI) and other best practices; NIST SP 800-30: NIST’s Risk Management Guide for Information Technology Systems is a free 55-page PDF download; NIST SP 800-39 “Managing Risk from Information Systems - An Organizational Perspective” is available in draft; OCTAVE: “Operationally Critical Threat, Asset, and Vulnerability Evaluation” is a popular risk-based strategic assessment and planning technique from CERT;
Informal risk analysis methods such as risk workshops and brainstorming are genuine alternatives or complementary approaches to the formal/documented methods and commercial tools, especially where experienced information security and risk management professionals participate alongside business people familiar with the organization’s situation.
There is further information on risk analysis methods and tools in the FAQ.
|
