< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27554 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [DRAFT]

Abstract

“This document defines identity-related risk for the purposes of applying ISO 31000 risk management guidelines to this field. It also uses the process outlined in ISO 31000 risk management guidelines to give guidelines for establishing context and assessing risk, including providing risk scenarios for processes and implementations that are exposed to identity-related risk”

[Source: ISO/IEC JTC 1/SC 27 SD11]

Introduction

This standard is intended to facilitate the application of the ISO 31000 risk management guidelines to identity management, supporting or supplementing various identity management standards.

It applies the ISO 31000:2018 risk management process to establish the context and assess risk, suggesting some risk scenarios for the processes and implementations involving identity-related risk.

Scope of the standard

The standard applies to the assessment, specifically, of risks associated with ‘services and transactions’ that rely on or are related to identity management, excluding risks arising generally from delivery, technology or security. It can be used in conjunction with other standards concerning controls to protect identity information.

The standard succinctly explains identity-related risk definition, context and impacts. It covers the central part of the classical ISO 31000-style risk management process, excluding risk monitoring and review, and risk communication and consultation.

Content of the standard

Main sections:

4. Principles - simply refers to the ISO 31000 principles
5. Framework - refers to the ISO 31000 approach
6. Process - refers to the ISO 31000 risk management process
7. Identity-related risk assessment
8. Identity-related context establishment
9. Identity-related risk identification
10. Identity-related risk analysis
11. Identity-related risk evaluation
12. Identity-related risk treatment - refers to ISO 31000

... with appendices on related standards on risk and identity management, and risk impact assessment.

Status

The project started in 2018.

 The standard has been submitted for publication.  It should surface soon.

Personal notes

ISO 31000 remains useful, along with ISO/IEC 27005 ... begging questions about the value of another standard in this area, especially one so naive and narrowly focused.

 In my jaundiced opinion, the standard misrepresents the probability element of risk, equating it to the amount of control applied rather than the predicted rate of occurrence. Conflating risk and control could be seen as a fundamental problem with the approach, confusing inherent (pre-treatment) and residual (post-treatment) risk.

 The use of ‘degrees’, ‘levels’, ‘scales’ and ‘categories’ of risk, and ‘strength’ of identity-related processes (=controls?) indicates a subjective approach to quantification ... and yet the standard suggests “collapsing the distinct indicators into a single combined value” at one point and for reasons not explained presents numeric values in a ‘Plot matrix’ ... at which point I lost the plot.

< Previous standard      ^ Up a level ^      Next standard >