ISO 27005 is the “Information Technology—Security Techniques—Information Security Risk Management” standard released by the international standards body ISO to provide guidance over information security risk management processes that are needed for the implementation of an effective information security management system (ISMS). Though this standard is considered a risk management standard, a significant portion of the standard deals with risk assessments, which are of course a key part of a risk management program.
ISO 27005 is heavily aligned with NIST SP 800-30 and is written from a high level perspective when compared to the other frameworks that we have discussed so far. The ISO 27005 standard has 6 major topic areas:
- Context Establishment.
- Information Security Risk Assessment.
- Information Security Risk Treatment.
- Information Security Risk Acceptance.
- Information Security Risk Communication.
- Information Security Risk Monitoring and Review.
ISO 27005 has 3 steps for the section dealing with risk assessment:
(Sigurjon Thor Arnason, 2008)
- Risk Identification,
- Risk Estimation
- Risk Evaluation.
Risk identification consists of 5 main activities, as follows:
- Identification of Assets—the objective for this activity is to identify the assets that are in scope for the risk assessment. This includes identifying the asset owner for the asset that was identified. In ISO 27005, assets are categorized as either primary or secondary. Primary assets are core process/activities and information. Secondary assets are hardware, software, network, personnel, site, and structure. The list of asset types in ISO 27005 is fairly comprehensive and can be seen in Annex B of the standards document.
- Identification of Threats—the objective of this step is to prepare a list of potential threats for the asset. According to ISO 27005, people such as asset owners, users, human resources staff, and facilities management could assist in identifying the threats to an asset. ISO 27005 also states that internal experience, particularly based on incidents that have occurred or previous assessments that have been performed, should be considered. One of the most useful contributions of ISO 27005 is the inclusion of standardized threat catalogs.
- Identification of existing controls—the objective of this activity is to identify existing controls. The guidance provided within ISO 27005 for this activity is fairly open-ended and does not specifically address criteria or scale for the control review. It does provide references to information sources that may be able to assist in this activity. Some examples identified as good sources for conducting this part of the review are:
- Documents that have information about controls.
- People responsible for information security.
- On-site reviews.
- Review of internal audit results.
- Identification of vulnerabilities—the goal of the activity is to identify the vulnerabilities for the asset. Though the narrative does not provide much information, Annex D of the standard does provide examples of vulnerabilities, which can be used as a helpful guide. ISO 27005 also provides specific information sources that can be used to identify vulnerabilities in assets. Some samples are:
- Vulnerability Scanning and Penetration Testing.
- Code Reviews.
- Physical Inspection.
- Document Analysis.
- Identification of consequences—the objective of this activity is to determine the possible damage or consequences caused by an “incident scenario” or what other frameworks call a threat scenario. ISO 27005 provides a list of impact factors that can be used to identify and measure consequences. Interestingly, when compared to most of the other frameworks, ISO 27005 leans towards identifying quantitative aspects of impact such as financial replacement value, and cost of suspended operations.
The risk estimation phase consists of three primary activities. These are:
- Assessment of consequences—the main objective of this activity is to assess the impact cause by an incident scenario. Some of the consequences that the standard recommends you evaluate are:
- Investigation and repair time.
- Work time lost.
- Opportunity lost.
- Health and safety.
- Financial cost of specific skills to repair the damage.
- Image reputation and goodwill
As you may have noticed ISO 27005 focuses on objectives, guidance, and concepts. The standard is not prescriptive; it does not really provide criteria, scoring, or decision matrices unlike some of the other frameworks.
- Assessment of incident likelihood—the main objective of this activity is to assess the likelihood of an incident scenario using qualitative or quantitative estimation techniques. As with most of ISO 27005, it is not prescriptive but it does recommend that while performing this activity, one should consider the following factors:
- Frequency of occurrence of the threat (statistics).
- Motivation and capability of the source.
- Geographical factors and the environment.
- Existing Controls.
- Level of risk estimation—the main objective of this step is to provide values of the likelihood and consequences, which will ultimately result in a risk value.
The narrative for this activity is relatively short but ISO 27005 provides a fairly comprehensive list of approaches to risk estimation in Annex E of the standards document. Annex E also provides various examples of tables and computation matrices to allow for the computation of risk based on likelihood and consequence.
Once risk estimates have been determined, the final step in the Risk Assessment stage of ISO 27005 is to prioritize the risks that are identified based on the risk evaluation criteria and the risk acceptance criteria. Determining the priority for these risks would allow the following risk management actions to be determined:
- Whether an activity should be undertaken.
- Priorities of risk treatment considering estimated levels of risk.