SlideShare a Scribd company logo
1 of 25
Download to read offline
Risk Assessment as per ISO 27005




                   Presented by Dharshan Shanthamurthy,
                         Risk Assessment Evangelist 
                           WWW.SMART‐RA.COM



SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
What is Risk Assessment?
What is Risk Assessment?
• NIST SP 800‐30
  Risk Assessment is the analysis of threats in conjunction with 
  vulnerabilities and existing controls.
     l    biliti    d i ti        t l
• OCTAVE
  A Risk Assessment will provide information needed to make 
  risk management decisions regarding the degree of security 
  remediation. 
  remediation
• ISO 27005 
  Risk Assessment = Identification, Estimation and 
  Risk Assessment Identification Estimation and
  Evaluation
Why Risk Assessment?
Regulatory Compliance
Compliance          Risk Assessment Requirement
Standard
St d d
PCI DSS             Formal and structured risk assessment based on methodologies like ISO 27005, 
Requirement         NIST SP 800‐30, OCTAVE, etc.
12.1.2 
12 1 2
HIPAA Section       Conduct an accurate and thorough assessment of the potential risks and 
164.308(a)(1)       vulnerabilities to the confidentiality, integrity, and availability of electronic 
                    protected health information held by the covered entity.
                    protected health information held by the covered entity
FISMA 3544          Periodic testing and evaluation of the effectiveness of information security 
                    policies, procedures, and practices, to be performed at least annually.

ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and 
4.1               organizational objectives. Risk assessments should also be performed 
                  periodically to address changes in the security requirements and in the risk 
                  situation.
GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
Why Risk Assessment?
  y
Business Rationale
Function            Explanation
Return on           Structured RA Methodology follows a systematic and pre‐defined 
Investment          approach, minimizes the scope of human error, and emphasizes 
                    process driven, rather than human driven activities.
                    process driven rather than human driven activities

Budget Allocation   Assists in controls cost planning and justification

Controls            Cost and effort optimization by optimizing controls selection and 
                    implementation

Efficient           Resource optimization by appropriate delegation of actions related to 
utilization of 
utilization of      controls implementation.
                    controls implementation
resources
What is IS-RA?
        IS RA?
Risk assessment is the cornerstone of any information
security program, and it is the fastest way to gain a
complete understanding of an organization's security
profile – its strengths and weaknesses its vulnerabilities
                            weaknesses,
and exposures.



“IF YOU CAN’T MEASURE IT



   …YOU CAN’T MANAGE IT!”
    YOU
Reality Check
Reality Check
•   ISRA– a need more than a want
•   Each organization has their own ISRA 
    Each organization has their own ISRA
•   ISRA learning curve
•   Cumbersome – 1000 assets, 20 worksheets
•   Two months efforts 
    Two months efforts
•   Complicated report
Exercise
• Threat Scenarios
• Threat Profiles to be filled.
  Threat Profiles to be filled.
Risk Assessment reference points
     •   OCTAVE
     •   NIST SP 800‐30
     •   ISO 27005
     •   COSO
     •   Risk IT
     •   ISO 31000
     •   AS/NZS 4360
     •   FRAP
     •   FTA
     •   MEHARI
ISO 27005 Introduction
ISO 27005 Introduction
 • ISO 27005 i
   ISO 27005 is an Information Security Risk Management guideline.
                   I f    ti S      it Ri k M         t id li

 • Lays emphasis on the ISMS concept of ISO 27001: 2005.

 • Drafted and published by the International Organization for 
   Standardization (ISO) and the International Electrotechnical
   Standardization (ISO) and the International Electrotechnical
   Commission (IEC)

 • Provides a RA guideline and does not recommend any RA
   Provides a RA guideline and does not recommend any RA 
   methodologies.

 • Applicable to organizations of all types.
                                f
ISO 27005 Workflow
ISO 27005 Workflow
• Advocates an iterative approach 
                          pp
  to risk assessment

• Aims at balancing time and
  Aims at balancing time and 
  effort with controls efficiency in 
  mitigating high risks

• Proposes the Plan‐Do‐Check‐Act 
  cycle.




                                        Source: ISO 27005 Standard
ISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Information Security Risk Assessment = Risk Analysis + 
I f     i S      i Ri k A              Ri k A l i
                                       Risk Evaluation
Risk Analysis:
Risk Analysis:
                    Risk Analysis = Risk Identification + Risk Estimation


1. Risk Identification
     Risk characterized in terms of organizational conditions
     Risk characterized in terms of organizational conditions

          • Identification of Assets: Assets within the defined scope
          • Identification of Threats: Based on Incident Reviewing, Asset 
             Owners, Asset Users, External threats, etc.
ISO 27005 Risk Assessment Contd.
ISO 27005 Risk Assessment Contd.
           • Identification of Existing Controls: Also check if the controls are working
             Identification of Existing Controls: Also check if the controls are working 
             correctly. 
           • Identification of Vulnerabilities: Vulnerabilities are shortlisted in 
             organizational processes, IT, personnel, etc.
           • Identification of Consequences: The impact of loss of CIA of assets.

 2. Risk Estimation

      – Specifies the measure of risk.

           • Qualitative Estimation
             Qualitative Estimation
           • Quantitative Estimation

 Risk Evaluation:
 Risk Evaluation:
           • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk 
             Acceptance Criteria.
ISO 27005 RA Workflow

      Step 1            Step 2            Step 3            Step 4
 General 
 General           Risk Analysis: 
                   Risk Analysis:
 Description of                      Risk Analysis: 
                   Risk                                Risk Evaluation
 ISRA                                Risk Estimation
                   Identification
Step 1
 General 
                        Risk Analysis: Risk 
                        Risk Analysis: Risk        Risk Analysis: Risk 
                                                   Risk Analysis Risk
 Description of         Identification             Estimation
                                                                                  Risk Evaluation

 ISRA

1. General Description of ISRA


                                 Identify, Describe 
                                  d    f          b                       Assessed risks 
                                                                                   d ik
Basic Criteria 
                                 (quantitatively or                       prioritized according to 
Scope and Boundaries
                                 qualitatively) and                       Risk Evaluation 
Organization for ISRM
  g
                                 Prioritize Risks
                                 P i iti Ri k                             Criteria.
                                                                          C it i
Step 2
                        Risk Analysis: 
 General Description 
 General Description                            Risk Analysis: Risk 
                                                Risk Analysis Risk
 of ISRA                Risk 
                        Ri k                    Estimation
                                                                              Risk Evaluation
                        Identification

2.  Risk Analysis: Risk Identification
                              Identification of Assets


Scope and Boundaries
S        d     d i
                                                                       List of Assets.
Asset owners
                                Assets are defined                     List of associated
Asset Location
                                                                       business processes.
                                                                                 p
Asset function
A t f ti
Step 2
                        Risk Analysis: 
 General Description 
 General Description                            Risk Analysis: Risk 
                                                Risk Analysis Risk
 of ISRA                Risk 
                        Ri k                    Estimation
                                                                              Risk Evaluation
                        Identification

2.  Risk Analysis: Risk Identification
                              Identification of Threats


Threat Information 
Threat Information
from                                                                   • Threats
• Review of Incidents           Threats are defined                    • Threat source
• Asset Owners                                                         • Threat type
                                                                                 yp
• Asset Users, etc.
Step 2
                        Risk Analysis: 
 General Description 
 General Description                             Risk Analysis: Risk 
                                                 Risk Analysis Risk
 of ISRA                Risk 
                        Ri k                     Estimation
                                                                               Risk Evaluation
                        Identification

2.  Risk Analysis: Risk Identification
                              Identification of Existing Controls


                                                                        • Existing and
                                                                          Existing and 
• Documentation of                                                        planned controls
                                Existing and planned 
  controls                                                              • Implementation 
                                controls are defined
• RTP                                                                     status
                                                                        • Usage status
Step 2
                         Risk Analysis: 
 General Description 
 General Description                               Risk Analysis: Risk 
                                                   Risk Analysis Risk
 of ISRA                 Risk 
                         Ri k                      Estimation
                                                                                  Risk Evaluation
                         Identification

2.  Risk Analysis: Risk Identification
                               Identification of Vulnerabilities


                                                                          • Vulnerabilities related
                                                                            Vulnerabilities related 
• Identified Assets
   d ifi d
                                                                            to assets, threats, 
• Identified Threats             Vulnerabilities are 
                                                                            controls.
• Identified Existing            identified
                                                                          • Vulnerabilities not 
  Controls
  C t l
                                                                            related to any threat.
Step 2
                        Risk Analysis: 
 General Description 
 General Description                             Risk Analysis: Risk 
                                                 Risk Analysis Risk
 of ISRA                Risk 
                        Ri k                     Estimation
                                                                               Risk Evaluation
                        Identification

2.  Risk Analysis: Risk Identification
                              Identification of Consequences


                                                                        • Incident scenarios
                                                                          Incident scenarios 
• Assets and business 
            db i
                                                                          with their 
  processes                     The impact of the loss 
                                                                          consequences related 
• Threats and                   of CIA is identified
                                                                          to assets and 
  vulnerabilities
    l     biliti
                                                                          business processes
Step 3
                                               Risk Analysis: 
 General Description 
 General Description    Risk Analysis: Risk 
                        Risk Analysis: Risk
 of ISRA                Identification         Risk 
                                               Ri k              Risk Evaluation
                                               Estimation

3.  Risk Analysis: Risk Estimation
                                  Risk Estimation Methodologies


(a) Qualitative Estimation: High, Medium, Low
( ) Q lit ti E ti ti        Hi h M di        L
( )
(b) Quantitative Estimation: $, hours, etc. 
Step 3
                                                    Risk Analysis: 
 General Description 
 General Description    Risk Analysis: Risk 
                        Risk Analysis: Risk
 of ISRA                Identification              Risk 
                                                    Ri k                     Risk Evaluation
                                                    Estimation

3.  Risk Analysis: Risk Estimation
                                  Assessment of consequences


• Assets and business
  Assets and business                                                 Assessed consequences 
                                                                      Assessed consequences
                                      The business impact 
                                        h b
  processes                                                           of an incident scenario 
                                      from information
• Threats and                                                         expressed in terms of 
                                      security incidents is 
  vulnerabilities                                                                   p
                                                                      assets and impact 
                                      assessed.
                                              d
• Incident scenarios                                                  criteria.
Step 3
                                                    Risk Analysis: 
  General Description 
  General Description    Risk Analysis: Risk 
                         Risk Analysis: Risk
  of ISRA                Identification             Risk 
                                                    Ri k                      Risk Evaluation
                                                    Estimation

3.  Risk Analysis: Risk Estimation
                                   Level of Risk Estimation

• Incident scenarios 
  with their                           Level of risk is 
                                            l f k
  consequences                         estimated for all              List of risks with value 
• Their likelihood                     relevant incident              levels assigned.
  (quantitative or                     scenarios
                                              i
  qualitative).
Step 4

  General Description 
  General Description    Risk Analysis: Risk 
                         Risk Analysis: Risk           Risk Analysis: Risk 
                                                       Risk Analysis: Risk           Risk 
                                                                                     Risk
  of ISRA                Identification                Estimation
                                                                                     Evaluation


4.  Risk Analysis: Risk Estimation
                                   Level of Risk Estimation


                                                                              Risks prioritized 
                                                                              Risks prioritized
                                       Level of risk is 
                                            l f k
• Risks with value levels                                                     according to risk 
                                       compared against risk 
  assigned and risk                                                           evaluation criteria in 
                                       evaluation criteria and 
  evaluation criteria.                                                        relation to the incident 
                                       risk acceptance criteria
                                        ik        t       it i
                                                                              scenarios.
Summary
• Keep it Simple and Systematic
• Comprehensive
• Risk sensitive culture in the organization.
• Drive security from a risk management 
  p p
  perspective, rather only a compliance 
               ,          y       p
  perspective.
• H l RA t h l
  Help RA to help you…
Questions?

Be a Risk Assessment Evangelist!
Be a Risk Assessment Evangelist!
     IS‐RA Forum on Linkedin
     SMART‐RA Forum on Linkedin
     SMART RA Forum on Linkedin




                   Dharshan Shanthamurthy,
           E‐mail: dharshan.shanthamurthy@sisa.in 
                                        y
                   Phone: +91‐99451 22551

More Related Content

What's hot

Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Richard Swartzbaugh
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 

What's hot (20)

Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 

Similar to ISO 27005 Risk Assessment

Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Ahmed Al Enizi
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Smart Assessment
 
Risk management intruduction part 2
Risk management intruduction part 2Risk management intruduction part 2
Risk management intruduction part 2MEEQAT HOSPITAL
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming WorldDimitrios Stergiou
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point   risk governance-schreckenberg_swissre_idrc_2012Microsoft power point   risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Global Risk Forum GRFDavos
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadIvanti
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 

Similar to ISO 27005 Risk Assessment (20)

Erm
ErmErm
Erm
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision  Sep 2012NIST 800 30 revision  Sep 2012
NIST 800 30 revision Sep 2012
 
Risk management intruduction part 2
Risk management intruduction part 2Risk management intruduction part 2
Risk management intruduction part 2
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming World
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Erm public workshop
Erm public workshopErm public workshop
Erm public workshop
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point   risk governance-schreckenberg_swissre_idrc_2012Microsoft power point   risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone Mad
 
Rsc 05
Rsc 05Rsc 05
Rsc 05
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 

Recently uploaded

The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 

Recently uploaded (20)

The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 

ISO 27005 Risk Assessment

  • 1. Risk Assessment as per ISO 27005 Presented by Dharshan Shanthamurthy, Risk Assessment Evangelist  WWW.SMART‐RA.COM SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
  • 2. What is Risk Assessment? What is Risk Assessment? • NIST SP 800‐30 Risk Assessment is the analysis of threats in conjunction with  vulnerabilities and existing controls. l biliti d i ti t l • OCTAVE A Risk Assessment will provide information needed to make  risk management decisions regarding the degree of security  remediation.  remediation • ISO 27005  Risk Assessment = Identification, Estimation and  Risk Assessment Identification Estimation and Evaluation
  • 3. Why Risk Assessment? Regulatory Compliance Compliance  Risk Assessment Requirement Standard St d d PCI DSS  Formal and structured risk assessment based on methodologies like ISO 27005,  Requirement  NIST SP 800‐30, OCTAVE, etc. 12.1.2  12 1 2 HIPAA Section  Conduct an accurate and thorough assessment of the potential risks and  164.308(a)(1)  vulnerabilities to the confidentiality, integrity, and availability of electronic  protected health information held by the covered entity. protected health information held by the covered entity FISMA 3544 Periodic testing and evaluation of the effectiveness of information security  policies, procedures, and practices, to be performed at least annually. ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and  4.1 organizational objectives. Risk assessments should also be performed  periodically to address changes in the security requirements and in the risk  situation. GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
  • 4. Why Risk Assessment? y Business Rationale Function Explanation Return on  Structured RA Methodology follows a systematic and pre‐defined  Investment approach, minimizes the scope of human error, and emphasizes  process driven, rather than human driven activities. process driven rather than human driven activities Budget Allocation Assists in controls cost planning and justification Controls  Cost and effort optimization by optimizing controls selection and  implementation Efficient  Resource optimization by appropriate delegation of actions related to  utilization of  utilization of controls implementation. controls implementation resources
  • 5. What is IS-RA? IS RA? Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses its vulnerabilities weaknesses, and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!” YOU
  • 6. Reality Check Reality Check • ISRA– a need more than a want • Each organization has their own ISRA  Each organization has their own ISRA • ISRA learning curve • Cumbersome – 1000 assets, 20 worksheets • Two months efforts  Two months efforts • Complicated report
  • 7. Exercise • Threat Scenarios • Threat Profiles to be filled. Threat Profiles to be filled.
  • 8. Risk Assessment reference points • OCTAVE • NIST SP 800‐30 • ISO 27005 • COSO • Risk IT • ISO 31000 • AS/NZS 4360 • FRAP • FTA • MEHARI
  • 9. ISO 27005 Introduction ISO 27005 Introduction • ISO 27005 i ISO 27005 is an Information Security Risk Management guideline. I f ti S it Ri k M t id li • Lays emphasis on the ISMS concept of ISO 27001: 2005. • Drafted and published by the International Organization for  Standardization (ISO) and the International Electrotechnical Standardization (ISO) and the International Electrotechnical Commission (IEC) • Provides a RA guideline and does not recommend any RA Provides a RA guideline and does not recommend any RA  methodologies. • Applicable to organizations of all types. f
  • 10. ISO 27005 Workflow ISO 27005 Workflow • Advocates an iterative approach  pp to risk assessment • Aims at balancing time and Aims at balancing time and  effort with controls efficiency in  mitigating high risks • Proposes the Plan‐Do‐Check‐Act  cycle. Source: ISO 27005 Standard
  • 11. ISO 27005 Risk Assessment ISO 27005 Risk Assessment Information Security Risk Assessment = Risk Analysis +  I f i S i Ri k A Ri k A l i Risk Evaluation Risk Analysis: Risk Analysis: Risk Analysis = Risk Identification + Risk Estimation 1. Risk Identification Risk characterized in terms of organizational conditions Risk characterized in terms of organizational conditions • Identification of Assets: Assets within the defined scope • Identification of Threats: Based on Incident Reviewing, Asset  Owners, Asset Users, External threats, etc.
  • 12. ISO 27005 Risk Assessment Contd. ISO 27005 Risk Assessment Contd. • Identification of Existing Controls: Also check if the controls are working Identification of Existing Controls: Also check if the controls are working  correctly.  • Identification of Vulnerabilities: Vulnerabilities are shortlisted in  organizational processes, IT, personnel, etc. • Identification of Consequences: The impact of loss of CIA of assets. 2. Risk Estimation – Specifies the measure of risk. • Qualitative Estimation Qualitative Estimation • Quantitative Estimation Risk Evaluation: Risk Evaluation: • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk  Acceptance Criteria.
  • 13. ISO 27005 RA Workflow Step 1 Step 2 Step 3 Step 4 General  General Risk Analysis:  Risk Analysis: Description of  Risk Analysis:  Risk  Risk Evaluation ISRA Risk Estimation Identification
  • 14. Step 1 General  Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis Risk Description of  Identification Estimation Risk Evaluation ISRA 1. General Description of ISRA Identify, Describe  d f b Assessed risks  d ik Basic Criteria  (quantitatively or  prioritized according to  Scope and Boundaries qualitatively) and  Risk Evaluation  Organization for ISRM g Prioritize Risks P i iti Ri k Criteria. C it i
  • 15. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries S d d i List of Assets. Asset owners Assets are defined List of associated Asset Location business processes. p Asset function A t f ti
  • 16. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Threats Threat Information  Threat Information from  • Threats • Review of Incidents Threats are defined • Threat source • Asset Owners • Threat type yp • Asset Users, etc.
  • 17. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Existing Controls • Existing and Existing and  • Documentation of  planned controls Existing and planned  controls • Implementation  controls are defined • RTP status • Usage status
  • 18. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Vulnerabilities • Vulnerabilities related Vulnerabilities related  • Identified Assets d ifi d to assets, threats,  • Identified Threats Vulnerabilities are  controls. • Identified Existing  identified • Vulnerabilities not  Controls C t l related to any threat.
  • 19. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Consequences • Incident scenarios Incident scenarios  • Assets and business  db i with their  processes The impact of the loss  consequences related  • Threats and  of CIA is identified to assets and  vulnerabilities l biliti business processes
  • 20. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low ( ) Q lit ti E ti ti Hi h M di L ( ) (b) Quantitative Estimation: $, hours, etc. 
  • 21. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Assessment of consequences • Assets and business Assets and business  Assessed consequences  Assessed consequences The business impact  h b processes of an incident scenario  from information • Threats and  expressed in terms of  security incidents is  vulnerabilities p assets and impact  assessed. d • Incident scenarios criteria.
  • 22. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Level of Risk Estimation • Incident scenarios  with their  Level of risk is  l f k consequences  estimated for all  List of risks with value  • Their likelihood  relevant incident  levels assigned. (quantitative or  scenarios i qualitative).
  • 23. Step 4 General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis: Risk Risk  Risk of ISRA Identification Estimation Evaluation 4.  Risk Analysis: Risk Estimation Level of Risk Estimation Risks prioritized  Risks prioritized Level of risk is  l f k • Risks with value levels  according to risk  compared against risk  assigned and risk  evaluation criteria in  evaluation criteria and  evaluation criteria.  relation to the incident  risk acceptance criteria ik t it i scenarios.
  • 24. Summary • Keep it Simple and Systematic • Comprehensive • Risk sensitive culture in the organization. • Drive security from a risk management  p p perspective, rather only a compliance  , y p perspective. • H l RA t h l Help RA to help you…
  • 25. Questions? Be a Risk Assessment Evangelist! Be a Risk Assessment Evangelist! IS‐RA Forum on Linkedin SMART‐RA Forum on Linkedin SMART RA Forum on Linkedin Dharshan Shanthamurthy, E‐mail: dharshan.shanthamurthy@sisa.in  y Phone: +91‐99451 22551