ISO/IEC 27001:2013 Information technology – Information security management systems
ISO 27001 is not a law or regulation but is one of the most widely adopted security frameworks in the world. It is a framework for establishing an effective information security management system (ISMS). This framework is considered a top down and risk-based approach, which is technology neutral.
One of the first requirements for ISO 27001 compliance is to define the risk assessment approach of the organization. According to the framework, the risk assessment methodology should be based on business, information security, legal and regulatory requirements and should have a criterion for accepting and identifying acceptable risk levels. Another important aspect that the framework states is the risk assessment approach should be able to produce comparable and reproducible results.
ISO 27001 also mentions that the organization should be able to identify risks by identifying the assets and asset owners, identifying threats, and identifying vulnerabilities which impacts confidentiality, integrity, and availability. Aside from just identifying risk, ISO 27001 requires the organization to analyze and evaluate risks. This evaluation is based on the business impact of the security failure, the realistic likelihood considering current controls, estimation of the risk, and a determination for accepting the risk. Basically, these are just different way of saying that an organization needs to evaluate the impact and likelihood of the risk, components of risk management.
ISO 27001 primarily refers practitioners to ISO 27005, which is the techniques document that focuses on Information Security Risk Management.
ISO provides several documents that offer guidance in developing the ISMS. Those relevant to management of risk are:
ISO/IEC 27001:2013: Information Technology
– Security Techniques – Information Security Management System – Requirements (ISMS):
— Describes a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS
— Used to assess conformance by interested internal and external parties
— Applies to all types of organizations (e.g., commercial enterprises, government agencies, non-profit organizations)
— Ensures selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties
— Specifies requirements for the implementation of security controls customized to the needs of individual organizations or departments
ISO 31000: INTERNATIONAL RISK MANAGEMENT STANDARD
The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies. A standard issued by this organization, ISO 31000, provides a universal risk management framework for use across various entities, sectors, and organizations. Although all organizations manage risk to some degree, ISO 31000 establishes a number of principles considered essential to make risk management effective. Published in November 2009, ISO 31000 is the first international standard on the practice of risk management. The standard applies to any type or size of organization in any country. (Hardy, 2014)
ISO 31000 offers a risk management architecture that describes the relationship between risk management principles, a risk management framework, and risk management process. According to ISO 31000, “for risk management to be effective, an organization should at all levels comply with several principles” (see above Figure). The principles cover vast themes and can serve as a foundation for shaping an organization’s risk philosophy. Common among the integration activities around ERM is the effectiveness of the management framework. Without a framework, it would be difficult to manage risks effectively.
In addition to ISO 31000, there are two other useful documents addressing risk management and risk assessment being adopted as American National Standards:
- ISO Guide 73:2009, Risk Management Vocabulary
- IEC/ISO 31010:2009, Risk Management Risk Assessment Techniques
ISO 27005: INTERNATIONAL RISK MANAGEMENT STANDARD
ISO/IEC 27005:2011: Information Technology – Security Techniques – Information Security Risk Management provides a general approach to risk management
ISO/IEC 27001 describes a general process for the ISMS, and in that context ISO/IEC 27005 defines the approach to managing risk. Step-by-step details based on these concepts are presented in ISO/IEC 27005.
ISO 27005 defines the risk assessment approach of the organization by following the steps:
- Identify the risks
- Analyze and evaluate the risks
- Identify and evaluate options for the treatment of risks
- Select control objectives and controls for the treatment of risks
- Obtain management approval of the proposed residual risks
This generally outlines the process for managing risk at a very high level.
ISO/IEC 27002:2013: Information Technology – Security Techniques – Code of Practice for Information Security Management (Controls):
— Provides 14 controls objectives and controls
— Defines 114 security controls that may be selected within each domain
— Provides implementation guidance in each area
ISO/IEC 27002 provides the taxonomy of information security controls. ISO/IEC 27005 specifies in more detail the management of risk without providing specifics or identifying a methodology for determining risk level.