< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition]

Abstract

“[ISO/IEC 27554] provides guidelines for identity-related risk, as an extension of ISO 31000:2018. More specifically, it uses the process outlined in ISO 31000 to guide users in establishing context and assessing risk, including providing risk scenarios for processes and implementations that are exposed to identity-related risk. [ISO/IEC 27554] is applicable to the risk assessment of processes and services that rely on or are related to identity. [ISO/IEC 27554] does not include aspects of risk related to general issues of delivery, technology or security.”

[Source: ISO/IEC 27554:2024]

Introduction

This standard facilitates the application of the ISO 31000 risk management guidelines to identity management, supporting or supplementing various identity management standards.

It applies the ISO 31000 risk management process to establish the context and assess risk, suggesting some risk scenarios for the processes and implementations specifically involving identity-related risk.

Scope of the standard

The standard applies to the assessment, specifically, of risks associated with ‘services and transactions’ that rely on or are related to identity management, excluding risks arising generally from delivery, technology or security. It can be used in conjunction with other standards concerning controls to protect identity information.

The standard succinctly explains identity-related risk definition, context and impacts. It covers the central part of the classical ISO 31000-style risk management process, excluding risk monitoring and review, and risk communication and consultation.

Content of the standard

Main sections:

4. Principles - simply refers to the ISO 31000 principles
5. Framework - refers to the ISO 31000 approach
6. Process - refers to the ISO 31000 risk management process
7. Identity-related risk assessment
8. Identity-related context establishment
9. Identity-related risk identification
10. Identity-related risk analysis
11. Identity-related risk evaluation
12. Identity-related risk treatment - refers to ISO 31000

... with appendices on related standards on risk and identity management, and “risk impact assessment”.

Status

The first edition was published in July 2024.

Personal comments

ISO 31000 remains useful, along with ISO/IEC 27005 ... begging questions about the value of another standard in this area, especially one so naively and narrowly focused.

In my jaundiced opinion, the standard misrepresents the probability element of risk, equating it to the amount of control applied rather than the predicted rate of occurrence. Conflating risk and control could be seen as a fundamental problem with the approach, confusing inherent (pre-treatment) and residual (post-treatment) risk.

Language/terminological issues (e.g. “B.1 Assessing the degree of impact of a consequence”) beg further questions. Rewriting this standard in plain English might help bring such issues into the disinfecting glare of sunlight.

The use of ‘degrees’, ‘levels’, ‘scales’ and ‘categories’ of risk, and ‘strength’ of identity-related processes (presumably controls?) indicates a subjective and qualitative approach ... and yet the standard suggests “collapsing the distinct indicators into a single combined value” at one point and for unexplained reasons presents numeric values in a ‘Plot matrix’ ... at which point I’m afraid I completely lost the plot. Repeat after me:

• Ordinary arithmetic is inappropriate for ordinal numbers.
• Ordinary arithmetic is inappropriate for ordinal numbers.
• Ordinary arithmetic is inappropriate for ordinal numbers.
• ...

< Previous standard      ^ Up a level ^      Next standard >