Summary: Risk management is a trade-off between risks and costs. Risk treatment is no doubt essential for any business or individual to survive. ISO 27005 elaborates different methods on treating risk related to information security, which help organizations to mitigate risks. In this free PECB International webinar, the following areas will be covered: • Risk treatment option • Risk treatment plan • Evaluation of residual risk Presenter: This webinar will be presented by Mohamad Khachab, an independent consultant and a managing partner of ICS SARL, a boutique management consulting, recruiting, and training firm in Lebanon. Khachab has a wide range of information risk management and IT procurement skills earned through more than 30 years of experience in the US and Middle East. Khachab has been performing consulting assignments since the late 80's (KPMG, AIC, ADETEF, Nielsen, World Bank, ITCILO, etc.). He has established a strong reputation and proven record of delivering benefits to clients by teaching information risk management and MIS to businesses and universities.

2. Certified ISO 27005 Risk Manager
Section 9
a. Risk treatment process
b. Risk treatment options
c. Risk treatment plan
Risk treatment

3. 6. Risk Treatment
3.1 Identification
of assets
3.2 Identification
of threats
3.3. Identification
of existing
controls
3.4. Identification
of vulnerabilities
3.5. Identification
of consequences
4.1. Assessment
of
consequences
4.2 Assessment
of incident
likelihood
4.3 Level of risk
determination
6.1 Risk
treatment
options
6.2 Risk
treatment
plan
6.3 Evaluation
of
residual risk
6. Risk
Treatment
7. Risk
Acceptance
2.ContextEstablishment
9. Risk Monitoring and Review
3. Risk
Identification
4. Risk
Analysis
5. Risk
Evaluation
7.1 Risk
treatment plan
acceptance
7.2 Residual risk
acceptance
1. Risk Management ProgrammeRisk Assessment
9. Risk Monitoring and Review
8. Risk Communication and Consultation
5.1
Evaluation of
levels of risk
based on risk
evaluation criteria

4. 6.1. Selecting the Risk Treatment Options
ISO 27005, clause 9.1 & ISO 31000, clause 5.5.2
Input
• List of risks
prioritized
according to
risk
evaluation
criteria in
relation to the
incident
scenarios that
lead to those
risks
Activities
• Select the
controls to
reduce,
retain, avoid,
or share the
risks
Output
• Risk
treatment
option
selected in
relation to the
risk
scenarios

5. Process of Risk Treatment and Acceptance of Risk
Risk
modification
Risk
retention
Risk
avoidance
Risk
sharing
Residual Risks
Risk acceptance
Risk assessment
Acceptable risk?
yes
No
RISK
TREATMENT
PLAN
Choice of
options
Satisfactory
assessment?
yes
No

6. Risk Treatment Options
ISO 27005, clause 9
Risk Modification
Introducing, removing or altering controls so that the
residual risk can be reassessed as being acceptable
Risk Retention
The management decided to accept the actual
level of risk
Risk Sharing
Decision to share risks with external parties:
insurance or outsourcing
Risk Avoidance
Cancellation or modification of an activity or set of
activities related to risk
Risk
Modification
Risk
Sharing
Risk
Retention
Risk
Avoidance

7. Risk Modification
ISO 27005, clause 9.2
RECOVERY
MONITORING
DETECTION
DETERRENCE
IMPACT REDUCTION
PREVENTION
DISPOSAL
CORRECTION
Typeoffunctionofthesecuritycontrols
AWARENESS
The risk level
should be
reduced by the
selection of
security controls
so that the
residual risk can
be reevaluated as
being acceptable

8. ISO 27002 Controls
A 5 Information security policy
A 6 Organization of information security
A 7 Human resources security
A 8 Asset management
A 9 Access control
A 10 Cryptography
A 11 Physical and environmental security
A 12 Operations security
A 13 Communications security
A 14 System acquisition, development and maintenance
A 15 Supplier relationships
A 16 Information security incident management
A 17 Information security aspects of business continuity management
A 18 Compliance
Code of practice for information security management

9. Achieving Balance in Risk Reduction
Maximizing the cost/risk ratio
Cost of the
controls
Low
High
Risk
Low
High
No treatment
Insufficient treatment
Risks covered effectively
Cumbersome procedures,
high costs
Excessive procedures, loss of
operational efficiency

10. Risk Retention
ISO 27005, clause 9.3
 If the level of risk meets the criteria for risk
acceptance, it is not necessary to implement
additional security controls and the risk may be
accepted de facto
 Retaining the current risk, however, must be
documented

11. Risk Avoidance
ISO 27005, clause 9.4
When the identified risk scenarios are considered
too high, a decision can be taken to avoid the risk
entirely:
By the cancellation of an activity or set of
activities
Or modify the conditions under which the
business operates
Example : We avoid accident risks during a storm
by working at home

12. Risk Avoidance
Examples
1. By ceasing certain activities (e.g. discontinue to use
Internet in a research center)
2. By removing the assets from an area at risk (do not
store sensitive documents on the corporate Intranet, or
move the servers to the 4th floor to avoid a risk of
flooding)
3. Deciding not to exchange sensitive information (with
third parties) if adequate protection is not guaranteed

13. Risk Sharing
ISO 27005, clause 9.5
 Risk can be shared with another party which can
manage it more effectively
 This is the best option when:
It is difficult for an organization to reduce risk to
an acceptable level
The organization lacks the expertise to manage it
It is more economical to transfer it to a third party

14. Risk Sharing
Possible methods
There are two main methods of risk sharing:
1. Insurance: Any other form of covering risks
contracted by an organization in exchange for
paying a premium
2. Outsourcing: Transfer of all or part of a business
activity to an external partner

15. The Denial of Risk
Is never an option for the treatment of risk
“ I imagine no circumstance that could
cause the sinking of the ship. I do not
want to imagine a life threatening
disaster that could affect that ship ”
Captain of the Titanic, 1912
Source: Institute for Governance of Information Systems
ISACA, 2004

16. Risk Treatment Options
2.6.
5.
4.
3.
1.
Risk Removing
Risk Changing
Risk Sharing
Risk Retaining
Risk Avoidance
Risk Increase
ISO 31000, clause 5.5.2 (Not in ISO 27005)

17. Risk Removal
This option consists of removing the risk source.
This option is feasible only in the unlikely event that the
organization has the possibility of removing the source of
the risk, which is not really applicable in information
security
Ex: Lobbying to have a law revoked.
ISO 31000, clause 5.5.2 (Not in ISO 27005)

18. Increasing Risk
A risk treatment option?
 It is the reduction of current level of security control
or being exposed to a greater risk exposure
 Two logical situations:
1. Increase the exposure to risk if the organization
can take advantage of more opportunities
2. Reduce the level of security control if the costs
exceed the benefits

19. 6.2. Defining a Risk Treatment Plan
ISO 27005, clause 9.1 & ISO 31000, clause 5.5.3
Input
• List of risks
with
treatment
option
selected
Activities
• Define the
risk
treatment
plan
Output
• Risk
treatment
plan

20. Risk Treatment Plan
 Once the decisions on the risk treatment
options have been taken, activities to
implement these decisions must be
identified and planned
 Activities should be classified in order of
priority
 The necessary resources must be
allocated to the treatment plan

21. Risk Treatment Plan
Example
Risk scenario
Risk
level
Priority
Treatment
option
Control
Resources
required
Responsible
Start date
End date
Maintenance
required /
Comments
Unauthorized users can
log on via the extranet
to Sharepoint and
search for sensitive
files of the organization
with the requested ID
6 High avoid Make
Sharepoint
Inaccessible
10 hours to
reconfigure
and test the
system
David Smith,
Sharepoint
administrator;
John McGee,
firewall
administrator
01-03-2008
02-03-2008
Make periodic
security
reviews of the
system to
ensure that
adequate
security is
provided for
Sharepoint

22. 6.3. Evaluation of Residual Risks
ISO 27005, clause 9.1
Input
• List of risks
listed
• Risk
treatment
plan
Activities
• Evaluation of
the residual
risk
Output
• New value of
the residual
risks

23. Evaluation of Residual Risk
ISO 27001, clause 6.1.3 f), ISO 27005, clause 3.8
2. Treated Risk
Risk eliminated with controls
1. Residual Risk
Risk remaining after treatment of risk
Management must be
aware of the residual
risks and accept
responsibility for them
Inherent Risk
All risks without accounting for
controls
2
1

24. Calculation of Residual Risk
Example
Scenario
Risk
value
Control
value
Residual Risk
value
Scenario A 10 3 7
Scenario B 8 1 7
Scenario C 15 6 9
Scenario D 3 0 3
Scenario E 4 0 4
Scenario F 8 2 6