Leveraging ISO 27005 standard’s risk assessment capabilities

In this first of a series of articles on risk assessment standards, we look at the latest in the ISO stable; ISO 27005’s risk assessment capabilities.

Risk assessment (RA) is akin to charting the blueprint for a robust information security strategy. An information gathering exercise performed to determine the right steps to developing a proactive security posture, RA should not be confused with an audit. Risk assessment analyzes threats in conjunction with vulnerabilities and existing controls.

The ISO 27005 risk assessment standard, first published in June 2008, is based on concepts specified in ISO 27001. ISO 27005 provides guidelines for information security risk management and allows organizations to select their own approach to risk assessment based on the objectives and assessment aims. This approach is markedly different from other popular standards such as OCTAVE and NIST SP 800-30. ISO 27005 charts out a systematic process, which is exact in terms of required steps, and rigorous in terms of classifying  and treating risk.

 A one-size-fits-all approach to information security is doomed to failure — it’s certain to throttle efficiency and productivity. The ISO 27005 risk assessment standard is different in that it acts as an enabler for designing effective and efficient controls for organizations that require the freedom to define their own risk parameters.

Risk assessment under ISO 27005

Workflow: Identification, Estimation and Evaluation

ISO 27005 brings in considerable structure to risk assessment. It focuses on the tenets of confidentiality, integrity and availability, each balanced according to operational requirements. Identification of assets and component steps such as risk profiling are left to the entity’s discretion. There are several points of significant difference in ISO 27005 standard’s workflow.

Risk identification: This refers to risk characterized in terms of organizational conditions.

1)     Asset Identification: ISO 27005 risk assessment differs from other standards by classifying assets into primary and supporting assets. Primary assets are usually information or business processes. Supporting assets can be hardware, software and human resources.

While a supporting asset is replaceable, the information it contains is most often not. ISO 27005 effectively brings out this distinction, enabling organizations to identify valuable assets and the dependent supporting assets impacting the primary asset, on the basis of ownership, location and function.

2)     Threat identification and profiling: This facet is based on incident review and classification. Threats could be application-based or threats to the physical infrastructure. While this process is continuous, it does not require redefining asset classification from the ground up, under ISO 27005 risk assessment. The onus of profiling risk is left to the organization, based on business requirements. However, standard threat scenarios for the relevant industry vertical must be covered for comprehensive assessment.  

3)     Identifying existing controls: ISO 27005 risk assessment requires identification of all possible existing controls. Under ISO 27005, the protection provided — or bottlenecks created — by existing controls are taken into account.

4)     Identification of vulnerabilities and consequences: Vulnerabilities must be identified and profiled based on assets, internal and external threats and existing controls. Vulnerabilities unrelated to external threats should also be profiled. The final checkpoint is to identify consequences of vulnerabilities. So eventual risk is a function of the consequences, and the likelihood of an incident scenario.

Risk estimation and evaluation: ISO 27005 risk assessment facilitates prioritization. Under ISO 27005, risk can be estimated qualitatively (for example: high, medium, low) or quantitatively (for example: cost in dollars, man-hours). While quantitative assessment is desirable, probability determination often poses difficulties, and an inevitable element of subjectivity.

For correct identification of risk, estimation in terms of business impact is essential. However, the challenge is to reach a consensus when numerous stakeholders are involved. Thus, risk evaluation criteria are based on business requirements and the need to mitigate potentially disruptive consequences.

ISO 27005’s differences

While the flow in most risk assessment standards is essentially the same, the difference lies in the sequence of events or in the order of task execution. Compared to popular standards like OCTAVE and NIST SP 800-30, ISO 27005’s risk assessment approach differs in several respects.

OCTAVE’s methodology focuses on critical assets rather than the whole. ISO 27005 does not exclude non-critical assets from the risk assessment ambit. However, it necessitates assigning an asset value. The workflow for OCTAVE is also different, with identification of assets and the areas of concern coming first, followed by the security requirements and threat profiling.

The NIST SP 800-30 standard is largely meant for technical risk assessment. The NIST SP 800-30 standard’s workflow differs from ISO 27005 in that the first step is system characterization. NIST SP 800-30 considers vulnerabilities before existing controls; thus the mitigation afforded by existing controls is not taken into account.

In a practical situation, an organization does not completely forego previous investments and controls. ISO 27005 risk assessment scores with its more realistic view of the vulnerability profile, since it identifies existing controls before defining vulnerabilities.

https://cdn.ttgtmedia.com/rms/security/dbs%20colour_small.pngAbout the author: Dharshan Shanthamurthy is a director at SISA Information Security and a risk assessment evangelist at SMART-RA.COM. Trained at Software Engineering Institute - Carnegie Mellon University, Dharshan carries a host of security certifications. He has presented at over 122 workshops/conferences in over 19 countries.He can be reached at [email protected].

(As told to Varun Haran)

Please send your feedback and/or comments to vharan at techtarget dot com. you can subscribe to our twitter feed at @SearchSecIN.

Read more on IT risk management

Data Center
Data Management