ISO/IEC 27005:2022 provides guidance in assisting you and your organization to perform information security risk management activities.
Amongst others, the webinar covers:
• Changes to the ISO/IEC 27005:2022 standard
• Changes to the ISO/IEC 27005:2022 standard
• Why a new ISO/IEC 27005-standard?
Presenters:
Anders Linde
Anders Linde, founder of CISO27, holds more than 12 years of information security consulting and training experience. Anders is particularly interested in resolving the challenges arising from the consolidation and adaptation of international best practices in different organizational settings. Anders is a PECB certified trainer and member of SC27, contributing to the international development of the ISO/IEC 27000 series.
Tony Chebli
Tony is a cybersecurity practice leader and certified instructor. He was appointed as a CISO “information security head” for Group Credit Libanais for the past 13 years.
Tony engineered a security program derived from ISO 27001 and PCI-DSS which helped the Bank comply with Central Bank of Lebanon and Banking Control Commission circulars and satisfy the external and internal IT auditors’ requirements.
He was featured as a keynote speaker at several conferences and contributed to developing security awareness in the Middle East.
Tony was hosted as a speaker for ISC2 Secure Summit in Dubai (November 2017), and the PCI council in Dubai (April 2016), he conducted as well road shows about ISO 27001 in KSA, Dubai, Jordan & Lebanon.
Tony received for three consecutive years the “CISO 100 information security executive” award from the Middle East Security Awards (MESA) in Dubai.
Date: November 16, 2022
Tags: ISO, ISO/IEC 27005, Information Security Risk Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
https://pecb.com/article/data-protection-risk-management
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
4. The purpose of ISO/IEC 27005
In a context of information security:
• Assessing risk
• Treating risks
• Monitoring risks
• Communication of risks
5. Continuous improvements
PLAN
• Scope determination and
risk acceptance
• Risk assessment process
DO
• Risk assessments are
carried out according to
the process and risks
CHECK
• Risk owners follow up on
action plans derived from
the risk assessments
ACT
• The effectiveness of
measures has been
verified
New information?
Changed value of information?
New threats?
Information security incidents?
New business processes?
New vulnerabilities?
6. ISO/IEC 27001: Methodology
Approach:
• Framework enabling comparable and reproducible results
• Criteria for identification, analysis and evaluation
• Risk acceptance criteria consistent with policies, objectives and
stakeholders
• Actions to address risks
• Organizational setup, including designation of risk owner
7. ISO/IEC 27001: Risk Assessment
Probability Consequence Risk
How likely is an
incident to occur?
What impact does
this have on our
information assets?
10. Why a new ISO/IEC 27005-standard?
2008
• First
version
2011
• Adapted to
the 2005-
version of
ISO/IEC
27001
2018
• Off with
27001
references
and Annex
G
2022
• Adapted to the
2013 and 2022-
version of
ISO/IEC 27001
11. ISO/IEC 27001-alignment
”This document provides guidance
on implementation of the
information security risk
requirements specified in ISO/IEC
27001:2022”
ISO/IEC 27005:2022, introduction
12. Risk management process
RISK TREATMENT
RISK EVALUATION
RISK ANALYSIS
RISK IDENTIFICATION
ESTABLISHING CONTEXT
COMMUNICATION
AND
CONSULTING
MONITORING
AND
REVIEW
RISK ASSESSMENT
13. Risk assessment
Identification
Find risk scenarios
Analysis
Calculate probability
and consequence
Evaluation
Compare risks with
acceptance criteria
4. Very likely
3. Likely
2. Quite unlikely
1. Very unlikely
Power outage
No diesel for
generator
4. Very big consequence
3. Great consistency
2. Small consequence
1. Very little consequence
14. Asset- vs. event-based approach
Interplay between an event- and asset-based approach, jf. ISO/IEC 27005:2022
15. Strategy vs. Operations
Risk scenarios based on an event- or asset-based approach, jf. ISO/IEC 27005:2022, figure A.4
18. Risk treatment
D
C
B
A
Accept
Choosing to live with the
risk
Avoid
Not starting or continuing
that activity
Modify
Maintain or change the
risk
Share
Share responsibility with
other parties
20. Risk management in an ISMS
4. Context of the
organization
The organization and
its framework
Stakeholders'
expectations and
needs
Determination of the
scope
ISMS
5. Leadership Leadership and
commitment
Policy
Roles, responsibilities
and authorities in the
organization
6. Planning
Actions to manage
risks and
opportunities
Information security
objectives and
planning to achieve it
7. Support Resources Competences Awareness Communication Documentation
8. Operation Operational planning
Assessing information
security risks
Treating information
security risks
9. Evaluation of
performance
Monitoring,
measurement,
analysis and
evaluation
Internal audit Management review
10.
Improvement
Nonconformities n
and corrective actions
Continuous
improvement
ISO/IEC 27005:2022: Leveraging related ISMS processes (clause 10)
22. Gathering the annexes
ISO/IEC 27005: 2018
• Annex A (informative) Defining the scope and
boundaries of the information security risk
management process
• Annex B (informative) Identification and valuation of
assets and impact assessment
• Annex C (informative) Examples of typical threats
• Annex D (informative) Vulnerabilities and methods for
vulnerability assessment
• Annex E (informative) Information security risk
assessment approaches
• Annex F (informative) Constraints for risk modification
ISO/IEC 27005: 2022
•Annex A (informative) Techniques in support
of the risk assessment process:
•A.1 Information security risk criteria
• A.1.1 Criteria related to risk assessment
• A.1.2 Risk acceptance criteria
•A.2 Practical techniques
• A.2.1 Information security risk components
• A.2.2 Assets
• A.2.3 Risk sources and desired end state
• A.2.4 Event-based approach
• A.2.5 Asset-based approach
• A.2.6 Examples of scenarios applicable in both
approaches
• A.2.7 Monitoring risk-related events
25. Terms included
An effect is a deviation from the
expected, positive or negative
ISO/IEC 27005, 3.1.1, note 1
Information security risks are always
associated with a negative effect of
uncertainty on information security
objectives
ISO/IEC 27005, 3.1.1, note 6
26. Triggers
Identifies all
necessary
information to
perform the activity
Describes the
activity
Provides guidance
on when to start the
activity, for example
due to a change in
the organization or
according to a plan.
Identifies all
information
resulting from the
performance of the
activity, as well as
any criteria that such
output must meet
Provides guidance
in carrying out the
activity, keywords
and key concept
27. Summary
More practical in relation to the ISO/IEC 27001
requirements
Important distinction between an asset- and event-based
approach
More specific guidance on risk management techniques via
examples and the annex
Standardization body in Denmark, development of standard SC-27, training/consulting via own company
Obviously, this session will clarify the major changes to 27005 and open for questions at the end. Reflections also along the way, as Tony and I will share some of our thoughts on the value and the implications of the changes.
Just to se stage here and were we are wth 27005. Numerious standards support risk management. At the top we have the generic risk management standard ISO 31000, according to which the subject-specific standards such as 27005 are aligned – everything from food safety, pollution to information security.
It is accompanied by a IEC standard 31010 from 2019, which concerns risk management techniques, and which trawls us through a multitude of risk management models: bowtie, Pareto, Octave, qualitative/quantitative models. All good stuff.
When we move down to the inf. security level, we have ISO/IEC 27005 – the topic for today. I have also allowed myself to mention some even more specific standards within the header of information security. Risk in the context of privacy – latest is 27557 dealing with organizational risk.
But lets get back to ISO/IEC 27005 – What is the purpose of the standard. Well, to help us on the journey of risk assessment and treatment. I does not specify or recommend specific risk management methods in detail. Instead, the process is discussed more generally built from the generic risk standard that I mentioned. in
Identify and assess the risks.
Decide what to do about the risks (how to 'treat' them) ... and do it;
Monitor risks, risk treatments, etc., identify and respond appropriately to significant changes, problems/concerns, or opportunities for improvement;
Keep stakeholders (mainly the management of the organization) informed throughout the process.
Most importantly, we want the standard to assist in daily risk management life, so that when we are operational we have a setup that ensures:
We do not overlook or underestimate risks
We take the necessary measures
Now, this webinar is about ISO/IEC 27005, but most of you joining are looking into 27005 to get some help on the requirements, coming from 27001. 27001 is the certiable standard, which among others lists requirement to the inf.security risk assessment. And so we to 27005 for answers. Roughly answers to three requirements
So, firstly: 27005 should help ud on the methodology.
Consistency: Assessments of the same risks carried out by different persons or by the same persons on different occasions should provide similar results
Comparability: Risk assessment criteria should be established to ensure that assessments of different risks produce comparable results
Validity: assessments must produce results that are as close as possible to reality
Secondly, an actual risk assessment. 27005 should guide us on the requirement form 27001 of finding probability and impact to reach an understanding of the level risk.
And thirdly, how to treat the risks founds. 27005 should help us on the options we have, but also something else. It should guide us on how to ensure we are not overlooking any key controls. Thats where the statement of applibility come in. So, we expect a lot of guidance form 27005.
But Tony – do we really need this. Why dont we just work from the text of 27001?
2022-versionen indeholder knap 100 referencer til ISO/IEC 27001 og selve strukturen er på flere måder justeret for bedre at kunne at vejlede i kravene til i ISMS. ISO/IEC 27005, VI: “This document is intended to be used by:— organizations that intend to establish and implement an information security management system (ISMS) in accordance with ISO/IEC 27001”
Fortunately, the update this time around has taken into account the latest release of 27001. As some of you know, that wasn’t hard since 27001 in its actual requirements text didn’t change. However, going form guidance for the 2005-version of 27001 to the 2013-version required some changes and let talk about them.
Etablering af kontekst: Med den nye version er der dog tilføjet en direkte kobling til den planlægning, som kræves efter ISO/IEC 27001, ’s clause 4, hvor forretningens organisationens rammer, interessenters forventninger og scope adresseres. ISO/IEC 27005 beskriver således nu, hvordan disse krav indvirker på bl.a. fastlæggelse af risikovillighed og tilrettelæggelse af risikostyringsprocessen.
Vurdering: 2018-versionen af ISO/IEC 27005 tager i de indledende dele af risikovurderingen udgangspunkt i aktiver, trusler og sårbarheder, til trods for at ingen af begreberne nævnes i ISO/IEC 27001’s kravkapitaler. Det er nu ændret, så underkapitlerne i ISO/IEC 27005 forklarer risikoejerskabet, samt sandsynligheds- og konsekvensberegningen til fastsættelse af et passende risikoniveau. ISO/IEC 27001:2013, cl. 4-10.
Håndtering: Hvor 2018-versionen fortaber sig i at beskrive handlemulighederne under risikohåndteringsdelen, kan 27001 og 27005 -brugere nu glæde sig over, at aktiviteterne under risikohåndtering også inddrager anvendelsen af ISO/IEC 27001’s Anneks A og vejledning i selve etableringen af et Statement of Applicability (SoA-dokument). Dermed kaster den nye ISO/IEC 27005 nu lys over, hvordan Anneks A indgår som et sikkerhedsnet, der skal sikre, at organisationen ikke overser nødvendige foranstaltninger til at takle fundne risici. Som i det foregående afsnit er der desuden afset en del plads til risikoejerens rolle i forbindelse med godkendelse af planer og accept af restrisikoen.
Now, its business as usual, since the structure of the standard still works form the generic 31000-model.
So, there a chapter on context establishment. Basically preparation of the chosen model. Criteria for assessing and accepting. The new deal here, is how the context est. Phase includes the considerations form chapter 4 in 27001, stakeholders, business and legislation.
Investigation into what could happen. Usually the standard would digg into assets an treats alone, but now two approaches are listed: event- and asset-based approch to findoing risk scenarios
Analysis deals with understanding the risk. This is where we assign value to the risks. Probabilty and consequence to set a score.
Decision comes in the evaluation phase. We set the scores form the previous phase against our risk acceptance.
4. We end up at risk treatment which is also a bit different. More on that later.
So, the three phases of the risk assessment repeated horisontally…
Investigation into what could happen. Usually the standard would digg into assets an treats alone, but now two approaches are listed: event- and asset-based approch to findoing risk scenarios
Analysis deals with understanding the risk. This is where we assign value to the risks. Probabilty and consequence to set a score.
Decision comes in the evaluation phase. We set the scores form the previous phase against our risk acceptance.
So, I mentioned that the standard now provide two approaches to risk identification. Here’s an illustration to these two:
The event-based approach bult on the premise that risks are captured through possible events and consequences. Therefore, it becomes crucial to identify concerns that characterize risk owners, business owners and top management, as well as the requirements that were found by uncovering the organization’s context. The event-based approach provides output some overall, business-critical risk scenarios that can be captured quite quickly via interviews without drowning in detailed descriptions of assets.
The asset-based approach identifies operational scenarios based on the specific assets, threats and associated vulnerabilities. The premise here is that risks can be identified and assessed by examining assets, threats and vulnerabilities. Assets are understood as anything that is valued to the organization – supporting as primary assets – and should therefore be protected. Risks are identified by identifying possible links between assets, threats and vulnerabilities within the management system, which can potentially lead to loss of confidentiality, integrity and availability of information.
Another way of illustration the interplay between the two approaches from the standards figure A.4 .
The two risk approaches differ primarily in relation to their level starting point, but will both be able to describe the same risk scenarios. Where the event-based approach works from a strategic level with a focus on consequences down towards the compromised assets, while the asset-based approach begins at an operational level in order to identify compromised information based on threats' exploitation of vulnerabilities and then move up towards the overall consequences there of.
I have just included this model, which I think kind of depict how the asset based model might originate from and it-department, assessed risk
Whereas the event-based model works form business concerns down to understanding the propability with the help form operational insight. In the middle a tackicle level where risk scenarios deally draw form both models to find scenarios relevant to the protection of confidentiality, integrity and availablity.
What do you think, Tony. Is is relevant for us to get this information of models in the new version.
Moving on to risk treatment which is initally business as usual.
Outsource, insurance
Risk Rentition, acceptable levels
Avoid. Close a buiness process. Perhaps owing to a pandemic… maybe sanction towrds country.
The new element, ladies and genthemen. 27005 now includes the requirement of 27001 related to building a Soa form annex A in 27001. For some organisations the connection between risk assesment and the SOA is at best blurred. Hopefully the guindance here will ansure the connection.
And while we are taking about the 27001 connection: So, here is an overview of the requirements chapter in 27001.
an entirely new chapter has emerged. The standard now takes us through other parts of the ISO/IEC 27001 standard's requirements, where risk management plays an important role. It begins by explaining how sources of risk are identified by analysis of the organisation's internal and external frameworks, as well as by analysing stakeholders' expectations and needs. Next, the top management's responsibility for, among other things, allocating resources and making risk-related decisions is affected. It is also in section 10 that we find the guidance for the communication and consultation part of the risk management process, but now with a focus on ISO/IEC 27001's communication requirements and in particular the communication that should be included when risk owners are identified and in charge of the approval of risk management plans. Section 10 also addresses the special documentation requirements regarding documentation of risk criteria, the process itself, as well as assessment reports and management plans. Finally, the usual guidance for the process of monitoring and review follows, but this time linked to ISO/IEC 27001's requirements for e.g. measurement and subsequently supplemented with considerations for management's review, including management's regular check up on the results of the overall risk work. The section concludes with a guide to ISO/IEC 27001's requirements regarding management of nonconformities in relation to addressing risks outside the organization's risk appetite, as well as continuous improvement of the risk management process with a focus on "lessons learned".
Does it make sense to include this chapter, Tony. Are we focusing too much on the ISMS now?
Annex A treated under context (6) and ISMS leveraging (10)
Annex B Concise A.2.2 Assets
Annex C A.2.3 Risk sources and desired end state (APT) and A.2.5 Asset-based approach (catalogue)
Annex D A.2.5 Asset-based approach
Annex E A.1.1 Criteria related to risk assessment
Annex F Concise 6.4 Establishing and maintaining information security risk criteria
Here it should be noted that space is now given to the quantitative calculation model. In general, organizations typically work with qualitative and semi-quantitative models, where the former involves using simple scales expressed with colors or words (e.g. low, medium, high) and the second draws on number scales (e.g. 1-4) with qualitative descriptions. The quantitative models, on the other hand, are based on economic figures and frequency calculations within a defined period. It is in ISO/IEC 27005's Annex A that the quantitative approach is now unfolded with illustrations of probability and consequence scales (Figure 5), parallel to the annex's presentation of the well-known qualitative scales. To the extent that an organization has the necessary data and, not least, employee competencies, the quantitative model will potentially remove ambiguities and ambiguities that often accompany the description of the qualitative scales. Looking ahead, it seems obvious that the annex's review of quantitative calculation models should be supplemented with several examples of both scales and calculation methods, e.g. the Annual Loss Expectancy (ALE) model.
Can organizations perform these tasks related to a quantitative approach.
Clean-up related to what risk mean in regard to information security…
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the organization or according to a plan.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.