Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security and Risk Management

Agenda
§ Rinske Geerlings:
Risk Management (RM) – Good, bad and ugly
Aligning the RM process with ISO 31000
How/where does ISO 27001 fit?
§ Nick Riemsdijk:
Information Security (IS) – Good, bad and ugly
Aligning the ISMS process with ISO 27001
Using ISO 31000 within the ISMS
§ Combined Q&A

Background: Rinske Geerlings
• Multi-award winning consultant, trainer and auditor in Business Continuity
(BCM), IT Management, Information Security and Risk Management
• ISO 22301, ISO 27001, ISO 22361, ISO 22316 and ISO 31000 certified
• Consulted for 20+ years to 100s of Government entities, SMEs and larger
corporates across Australasia, Africa, Europe and Latin America
• Risk Consultant of the Year 2017 by RMIA (Australasia)
• Outstanding Security Consultant of the Year 2019 Finalist in the OSPAs
• Australian Business Woman of the Year 2010-13 by BPW (global NGO)
• Alumnus of the Year 2013 (Delft University, Netherlands)
• Board Member (ARVP) of ASIS International – Australiasia region
• Specific regulatory experience - Australian Prudential Regulation Authority
(APRA)

‘The old connotation of the term Risk

• Risk = effect of uncertainty on
objectives
• Risk management = coordinated
activities to direct and control an
organisation with regard to risk.
As per the International Standard for
Risk Management: ISO 31000: 2018
Good: Adoption of the new definition of Risk

Good: Understanding that Risk is not all that bad

Good: Categorisation of Risk
• Strategic risks, such as those related to mergers, acquisitions, digital transformation,
products/services, competitive position, market share, globalisation and industry
changes.
• Financial risks, such as market risk, credit risk, liquidity risk, interest rate risk,
exchange rate risk, inflation risk, investment risk.
• Operational risks, such as those related to IT services, staff, productivity, physical
assets, outsourcing and upstream/downstream supplier relationships.
• Compliance risks, such as those related to contractual obligations, as well as (e.g.
environmental, OH&S, ethics, privacy related) regulations.
> Whilst any of the above can also result in Reputational (ie. brand-related)
risks, we typically see those covered under Strategic risk.

The bad and the ugly
• Focus on causes (and treating those) rather than consequences
• Treatment options/procedures to reduce impact often not easily extractable
> all controls bundled together with the preventative controls, and (links to) the response
procedures are not actually held within the system.
• Producing quantity rather than quality > Large volumes of data including ratings (held in
big spreadsheets, software tools).
• Maintenance of these becoming a burden, needing to then be carried by non subject
matter experts (e.g. centralised Risk function).
• Top-down Risk Appetite and Risk Capacity unclear (‘flying blind’, thus risk of over and/or
under-investing in treatments).

Typical Risk Appetite Statements

• “We are working towards a position whereby we are not jeopardised by short-term revenue
and cost fluctuations.
• We aim to seek opportunities to provide us with sustainable growth, providing that it is in
accordance with our shareholders’ objectives/goals.
• We will protect partnerships with key, long-term suppliers as a high priority.
• We will protect our brand and do not have appetite for negative public comment (nor in
traditional nor social media) on our products, nor our staff or services.
• We can absorb some variances in the quality of products and services in the short-term, but
must be in a position to deliver reliable and consistent quality of products and services in
the long-term.
• We will look after and protect staff as a high priority.”

Risk Category Risk Appetite Statement
Environment &
Sustainable
development
We conduct our operations in accordance with the principles of ecologically sustainable development
and have a strong commitment to protecting and preserving the environment generally. We have a low
risk appetite for activities which will erode our ability toprotect the environment and a moderate to high
risk appetite to prevent incidents that adversely affect or significantly degrade it.
We have zero risk appetite for behaviours that amount to deliberate or reckless violations or breaches of
environmental laws, regulations or standards, that compromise or affect adversely theenvironment.
Corporate Social
Responsibility
We have a close interface with the community. We support the prosperity of the region and balance the
priorities of our customers, stakeholders and general public. We strive to be caring for the community
underpinned by values of goodwill and respect. We have a moderate to high risk appetite to deliver
sustainable outcomes for the communities in which we operate.
In undertaking our community and socially responsible activities, we have a low risk appetite for risks
that will adversely impact our reputation and diminish our role in the communities we serve.
Note: These are the 2 least lengthy items out of a 7-page table… Question: How measurable are these?

Should
be
SMART-ly
defined
Better practice: Risk Appetite and Risk Capacity

• The concept of organizational context and
stakeholders
• Structured process (risk assessment, risk
treatment)
• Importance of continual improvement
• Leadership and commitment
Aligning the RM process with ISO 31000
• It deals with Information Security risk (i.e. of the many risks)
Where does ISO 27001 fit?

Background: Nick Riemsdijk
• Senior consultant, trainer and auditor in Business Continuity
(BCM), Information Security and Risk Management
• ISO 22301, ISO 27001, ISO 22316 and ISO 31000 certified
• Master of Business Administration - University of Adelaide
• Cyber Security Strategy and Risk – RMIT Melbourne
• Certified Information Security Manager (CISM) – ISACA
• Certified Protection Professional (CPP) - ASIS International
• Consulted for 15+ years to several Government entities, SMEs and larger
corporates in Australia, Africa and The Netherlands
• Focus on Physical and Information Security
• Protective Security Framework, Security of Critical Infrastructure act and
Information Security Management Frameworks
• Utility industry expert

Background: Nick Riemsdijk
• Senior consultant, trainer and auditor in Business Continuity
(BCM), Information Security and Risk Management
• ISO 22301, ISO 27001, ISO 22316 and ISO 31000 certified
• Master of Business Administration - University of Adelaide
• Cyber Security Strategy and Risk – RMIT Melbourne
• Certified Information Security Manager (CISM) – ISACA
• Certified Protection Professional (CPP) - ASIS International
• Consulted for 15+ years to several Government entities, SMEs and larger
corporates in Australia, Africa and The Netherlands
• Focus on Physical and Information Security
• Protective Security Framework, Security of Critical Infrastructure act and
Information Security Management Frameworks

• Cyber security vs information security
• Information Security Management System
o A framework of policies, procedures, and technical
measures designed to manage, monitor, and improve an
organization's information security.
o A systematic approach to ensuring the confidentiality,
integrity, and availability of an organization's sensitive
information and data assets.
• People, processes and technology
• Includes all types of information, including paper-based, cloud,
removable media, intellectual property/ knowledge and
conversations
• Personal Health Information (PHI), Personally Identifiable
Information (PII), including financial information, medical
records, social security numbers, contact information
Information Security (IS) – First things first

• Improved encryption, more sophisticated and widespread, making it harder for
attackers to intercept and decrypt sensitive information.
• Multi-factor authentication has become more common, adding an extra layer
of security to login processes.
• Cloud providers are increasingly investing in security measures to protect
customer data and prevent unauthorized access.
• More people are becoming aware of the importance of information security,
which has led to better cybersecurity practices and increased funding for
security research.
• Governments introducing improved legislation around the world are enacting
new laws and regulations to protect personal data and hold companies
accountable for data breaches.
• Machine Learning and Artificial Intelligence are used to improve security
by identifying potential threats and vulnerabilities before they can be exploited.

• ChatGPT is a sophisticated AI engine, referred to as the
new Google, Wikipedia and a chatbot in one.
• GPT stands for Generative Pre-trained Transformer
(GPT), a type of language model that uses deep learning
to generate human-like, conversational text.
• It can be trained on vast amounts of data related to
security threats, such as malware, phishing, and hacking.
• ChatGPT can enhance your ISMS by;
o Assisting in incident response by providing
contextual information about the attack and
recommended steps to be taken.
o Providing personalized security recommendations
tailored to specific needs and concerns.
o Analysing data, writing code or creating diagrams
• Microsoft has developed a version of ChatGPT that has
full access to the internet, which ChatGPT does not have

• Overreliance and overconfidence in technical controls, while 95% Of
cybersecurity breaches are due to human error
• Internet of Things (IoT) devices are becoming increasingly common, but
many lack adequate security features, making them vulnerable to attack
and potentially allowing attackers to gain access to other devices on the
network.
• Insider threats pose a significant risk to information security, as
employees, contractors, or business partners with access to sensitive
information can cause harm either intentionally or unintentionally.
• A lack of security awareness as many people are not aware of the risks
associated with sharing personal information online or clicking on
suspicious links, leaving them vulnerable to attack.
• Weak security controls, such as easily guessable passwords or unpatched
software vulnerabilities, can be exploited by attackers to gain access to
systems and data.

• Ransomware attacks are impacting critical infrastructure, including hospitals,
energy utilities, traffic systems and the financial industry
• Pacemakers and insulin pumps– these can provide live health information and
receive device updates, but could also be manipulated
• Self-driving vehicles, boats and autonomous planes – create a whole new category
of security risks

• ISO 27001 is a widely recognized international standard for
information security management.
• 27001:2022 released last year, is more aligned with other
standards including ISO 31000
• Aligning information security processes with the 27001 standard
can help organizations establish and maintain a comprehensive
framework for managing information security risks.
• Organizations that implement ISO 27001 demonstrate their
commitment to protecting information and managing risks
effectively.
• Certification to the standard can provide a competitive advantage
by demonstrating compliance with international standards and
customer requirements
• 6 steps to align your information security processes with ISO 27001
How can we align ISMS process with ISO 27001?

1. Define the scope of the ISMS and produce a Statement of Applicability as per
clause 6.1.3 d in the standard
2. Conduct a thorough risk assessment to identify and prioritize information
security risks based on their likelihood and potential impact.
3. Develop and document information security policies and procedures that
address the identified risks and align with the requirements of ISO 27001.
4. Implement a set of security controls to mitigate the identified risks based on the
risk assessment in step 2, and should be aligned with the ISO 27001 standard.
5. Continuously monitor and review the effectiveness of the security controls in
place and adjust as needed. This includes conducting regular audits and risk
assessments to ensure that the security controls remain effective over time.
6. Obtain and maintain ISO 27001 certification to demonstrate that the organization
has implemented a comprehensive information security management system
that meets international standards.
How can we align ISMS process with ISO 27001?
Define scope
Risk assessment
Policies and
procedures
Implement security
controls
Monitor and review
Obtain and maintain
certification

• ISO 31000 is a general standard for risk management that can be applied to any
type of risk, including strategic, operational, financial, and reputational risks. ISO
27005 is a specific standard for information security risk management.
• As ISO 31000 is widely used, using this standard for your ISMS risk
management can seamlessly integrate with other organizational risk processes.
• ISO 27005 specifically focuses on the risk management process for information
security risks. However, it provides a more detailed framework specifically for
information security risks.
• 31000 principles are essential for a solid ISMS risk management
Using ISO 31000 in an ISMS
ISO 31000 Principles
• Integrated
• Structured and
comprehensive
• Customized
• Inclusive
• Dynamic
• Best available
information
• Human and cultural
factors
• Continual improvement

Using ISO 31000 processes in an ISMS
ISO 31000 process ISO 27001:2022 clauses
Establish the scope, context and
criteria
4.1 Understanding the organization and its context
4.3 Determining the scope of the ISMS
Identify risks including the
likelihood and potential impact of
each risk.
6.1.1 General
6.1.2 Security risk assessment
Analyze risks using quantitative or
qualitative methods
8.2 Information security risk assessment
Evaluate the risks based on the
organization's risk criteria
6.1 Actions to address risks and opportunities
6.1.1 General
Develop and implement risk
treatment plans to mitigate or
eliminate the identified risks.
6.1.3 Risk Treatment
8.3 Information security risk treatment
Monitor and Review: Continuously
monitor and review the
effectiveness of the risk
management processes
6.1.1 General
6.1.3 Risk Treatment
8.3 Information security risk treatment
By using ISO 31000 in an ISMS, organizations can establish a systematic and structured approach to managing
risks to their information assets.

• Use the controls in Annex A in the ISO 27001 standard to identify risk
sources
• The NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments has
a comprehensive list of sources, events and vulnerabilities in the
appendix which can be considered in ISMS risk assessments
• Align ISMS risk management with your organization’s holistic risk
framework, which is much easier if both are based on ISO 31000.
• Include non-IT staff, suppliers and customers in risks assessments
• Subscribe to threat intelligence reports, IT security newsletters, join
special interest groups and participate in information security forums
• Attain organizational ISO 27001 certification, the process to prepare for
the audit, including internal audit, confirms the maturity of the ISMS and
will identify gaps in capability (which then can be addressed). Maintaining
the certification is an important driver for the maintenance and
continuous improvement of your ISMS.
Final tips

THANK YOU
Q&A
rinskeg@businessasusual.com.au
nickr@businessasusual.com.au
Rinske Geerlings
Nick Riemsdijk

Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security and Risk Management

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security and Risk Management

Similar to Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security and Risk Management (20)

More from PECB

More from PECB (20)

Recently uploaded

Recently uploaded (20)

Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security and Risk Management