CXO 2.0 Conference (Event Information Deck | Dec'24-Mar'25)
Information Security Risks Management Maturity Model (ISRM3)
1. A Model to Assess the Maturity Level
of the Risk Management Process
in Information Security
Janice Mayer
Universidade do Vale do Rio dos Sinos (UNISINOS)
j.mayer@brturbo.com.br
Leonardo Lemes Fagundes
Universidade do Vale do Rio dos Sinos (UNISINOS)
llemes@unisinos.br | Fone: 55 51 35911100 - branch 1775
4rd IFIP/IEEE International Workshop on BDIM - 9 June 2009
1
3. Introduction
Information: one of the most valuable assets.
Risk Management(RM): an essential front.
Achieve compliance: laws, standards and
regulations.
Meet mandatory requirements for the certification of
an Information Security Management System.
3
4. Motivation
Companies need to implement RM.
There is no maturity model aimed at RM in
Information Security.
Maturity model identifies deficiencies in process
structure and management.
To provide improvements with the predictability,
control and effectiveness.
4
5. Objective
Describes the structure of a model for the
assessment of the maturity level of the RM process
in the realm of Information Security.
5
7. Risk Management Maturity Model
In Information Security (MMGRseg)
MMGRseg is comprised of a set of requirements
and best practices, which provides a formal
structure.
Aligned with standard ISO/IEC 27005.
7
8. Structure - MMGRseg
Comprised of:
three stages;
five maturity levels;
forty-three control objectives;
one control map;
one assessment instrument relative to the maturity
level of the activities of the RM process;
an accountability matrix relative to each activity of the
process; and
a risk scorecard.
8
9. Stages - MMGRseg
Steered for three stages:
Immaturity: processes are improvised.
Maturity: processes are already defined,
standardized and controlled.
Excellence: optimized processes.
9
11. Control Objective - MMGRseg
CD1 Context Definition:
CD1.1. Define the basic criteria for Risk Assessment
CD1.2. Define the basic criteria for Impact Assessment
CD1.3. Define the basic criteria for Risk Acceptance
CD1.4. Establish the scope and the constraints of the risk management
process
CD1.5. Establish and maintain an organization
CD1.6. Develop a risk management policy
CD1.7. Establish a standard for RM processes
CD1.8. Audit the Context Definition activity
CD1.9. Collect and store information
11
12. Control Objective - MMGRseg
AA1 Risk Analysis/Assessment:
AA1.1. Identify the Risks
AA1.2. Estimate the Risks
AA1.3. Assess the Risks
AA1.4. Standardize the Assessment process
AA1.5. Automatize the Analysis/Assessment process
AA1.6. Audit the Risk Analysis/Assessment activity
AA1.7. Avoid rework
AA1.8. Revise the process of risk estimation
12
13. Control Objective - MMGRseg
RT1. Risk treatment:
RT1.1. Select an appropriate Treatment option
RT1.2. Define a Risk Treatment plan
RT1.3. Implement Risk Treatment plan
RT1.4. Define how to measure the effectiveness of controls
RT1.5. Calculate Residual Risks
RT1.6. Standardize the Risk Treatment process
RT1.7. Audit the Risk Treatment activity
RT1.8. Improve the Risk Treatment process
13
14. Control Objective - MMGRseg
RA1. Risk Acceptance:
RA1.1. Verify the description of the Treatment plan
RA1.2. Analyze and approve the acceptance criteria
RA1.3. Verify the residual risk
RA1.4. List the accepted risks
RA1.5. Standardize the Risk Acceptance process
RA1.6. Audit the Risk Acceptance activity
RA1.7. Revise the Risk Acceptance process
14
15. Control Objective - MMGRseg
RC1. Risk Communication:
RC1.1. Implement awareness plan
RC1.2. Make stakeholders able to identify and communicate risks
RC1.3. Standardize the Risk Communication activity
RC1.4. Audit the Risk Communication activity
RC1.5. Exchange and/or share risk-related information
RC1.6. Critical analysis of Risk Communication
15
16. Control Objective - MMGRseg
MA1. Monitoring and Critical Analysis:
MA1.1. Verify the alignment of the RM process with business objectives
MA1.2. Monitor, critically analyze and improve the risk management
processs
MA1.3. Standardize the Monitoring and Critical Analysis activity
MA1.4. Audit the Monitoring and Critical Analysis activity
MA1.5. Improve the Risk Management process
16
17. Control Map - MMGRseg
Risk Management
activities Maturity Levels
Level 1 Level 2 Level 3 Level 4 Level 5
Context definition No control is CD1.1, CD1.4,
implemented CD1.2 and CD1.5, CD1.6 CD1.8 CD1.9
CD1.3 and CD1.7
Risk Analysis/ No control is
Assessment implemented AA1.1 and AA1.3, AA1.4 AA1.6 AA1.7
AA1.2 and AA1.5 and
AA1.8
Risk Treatment No control is RT1.2, RT1.3,
implemented RT1.1 RT1.4, RT1.5 RT1.7 RT1.8
and RT1.6
Risk Acceptance No control is
implemented RA1.1 and RA1.3, RA1.4 RA1.6 RA1.7
RA1.2 and RA1.5
Risk No control is
Communication implemented RC1.1 RC1.2 and RC1.4 RC1.6
RC1.3 and
RC1.5
Monitoring and No control is
Critical Risk implemented MA1.1 MA1.2 and MA1.4 MA1.5
Analysis MA1.3
17
18. Assessment perspective - MMGRseg
Continuous representation.
Each one of the six activities of the Risk
Management process is assessed individually.
The company is able to verify which activity
needs to receive greater focus
Provides specific guidance for each activity in
regards to the necessary steps for an upper
maturity level to be achieved.
18
19. Assessment perspective - MMGRseg
Examples of assessment hypothesis of the Maturity
Level through MMGRseg
19
20. Accountability Matrix - MMGRseg
Controls
CEO
CFO
Executive
Business
CIO
Management
Business Senior
Head Operations
Chief Architect
Development
Head
Administration
Head IT
Security
Audit, Risk and
Compliance,
CD1.1 R/A C C C I
CD1.2 R/A C C C I
CD1.3 R/A C C C I
CD1.4 R/A
CD1.5 R/A
CD1.6 I C R C R/A C C C C C
CD1.7 R/A
CD1.8 A
R=Responsible; A=Accountable, C=Consulted and I=Informed. 20
21. Risk Scorecard - MMGRseg
Every process must have defined goals and aims
making it possible to measure the degree of success
in their execution.
In so doing, metrics need to be defined according to
the SMARRT model (Specific, Measurable,
Actionable, Realistic, Results-oriented and Timely).
In the MMGRSeg model, the measurement of all the
six activities of the risk management process must
be based on SMARRT.
21
22. Case study - MMGRseg
Designed as a questionnaire – based on the
control objectives;
35 questions, uses the Likert scale
CD AA RT RA RC MA
Level 2 Q3 Q9 Q15 Q21 Q26 Q31
Level 3 Q4, Q5, Q10, Q11, Q16, Q17, Q22, Q23 Q27, Q28 Q32, Q33
Q6 Q12 Q18
Level 4 Q7 Q13 Q19 Q24 Q29 Q34
Level 5 Q8 Q14 Q20 Q25 Q30 Q35
CD = Context definition, AA = Risk Analysis/Assessment, RT = Risk Treatment, RA = Risk
Acceptance, RC = Risk Communication and MA = Monitoring and Critical Analysis of the Risk.
22
23. Case study - MMGRseg
The latter was sent as a convenience sample
comprised of 31 companies;
Feedback was received from 12 of them;
Only 3 out of the 12 respondent companies
managed to achieve above level 1;
The remaining respondent companies could only
achieve maturity level 1 in the six activities of the
RM process for IS.
23
24. Conclusion
This is a meaningful contribution to the development to the
field of information security, aligned with ISO/IEC 27005;
It is comprised of a set of requirements and best practices:
three stages: immaturity, maturity e excellence;
five maturity levels: Initial, Known, Standardized, Managed and Optimized;
forty-three control objectives;
one control map;
one assessment instrument relative to the maturity level of the activities of
the RM process;
an accountability matrix relative to each activity of the process; and
a risk scorecard.
24
25. Conclusion
All this can be used by the organization to:
identify the weaknesses and/or deficiencies and the possibilities for
improvements in the process, guiding investments in IS;
directing the investments in Information Security;
foster segmented benchmarking;
disseminate the risk management culture all over the company;
achieve effectiveness in the continuous improvement process of Risk
Management in Information Security; and
advise certification projects of Information Security Management
Systems (ISMS) and Business Continuity.
25