This document discusses risk management according to the ISO 27001 standard. It outlines the key elements of risk assessment, including identifying assets, threats, vulnerabilities, impact, and likelihood. The process of risk management involves six steps: identifying threats, assessing inherent risk, identifying controls, identifying vulnerabilities, determining residual risk, and creating a risk treatment plan. Proper risk management is proactive and helps control possible future events over the life of a project.
3. ISO 27001 Risk Management
Why Risk Management
The process of Risk Management
Elements of Risk Assessment
01
02
03
05
04
06
Identification Of Assets
Threats and Vulnerabilities
Impact and likelihood
4. The Risk Management is the critical first
step in ISO 27001 implementation.
It determines everything that happens
afterward.
5. Why Risk Management
Risk
Management
(ISO 27001)
Measurement
(ISO 27004)
Safe Guard
(ISO 27002)
Risk Management is the process of identifying, analyzing and responding to risk
factors throughout the life of a project and in the best interests of its objectives.
Proper risk management implies control of possible future events and is proactive
rather than reactive.
6. The Process of Risk Management
Process
01
Process
02
Process
03
Process
04
Identify
Threats
Assess
inherent risk
Identify
controls
Identify
Vulnerabilities
Process
07
Identify &
value assets
Determine
residual risk
Risk Treatment
Plan
Process
05
Process
06
7. The Process of Risk Management
Asset identification
Assets are defined as anything which may affect confidentiality, integrity
and availability of information in the organization
• Information e.g. Human resources data, Financial data, Marketing
data, Employee passwords, Source code, System
documentation, Intellectual property, Data for regulatory
requirements, Strategic plans, Employee business contact
data, Employee personal contact data, Purchase order
data, Network infrastructure design, Internal Web sites
• Technology e.g. Servers, Desktop
computers, Laptops, Tablet, Smart phones, Server application
software, End-user application software, Development
tools, Routers, Network switches, PBXs, Removable media, Power
supplies, Uninterruptible power supplies
8. The Process of Risk Management
Asset identification
• Services e.g. E-mail/scheduling, Instant messaging, Active Directory
directory service, Domain Name System (DNS), Dynamic Host
Configuration Protocol (DHCP), Enterprise management tools, File
sharing, Storage, Dial-up remote access, Telephony Virtual Private
Networking (VPN) access , Collaboration services (for
example, Microsoft SharePoint)
• People e.g. Subject matter
experts, administrators, developers, third party support, end-users
9. The Process of Risk Management
Asset Valuation
The asset is valued in terms of the impact of total loss of the asset in
terms of confidentiality, integrity or availability. Each asset will given a
High, Medium or Low rating as its value.
11. The Process of Risk Management
Identify threats
For each asset, what can impact its confidentiality, integrity, or
availability?
• Catastrophic incidents e.g. Fire, Flood, Earthquake, Severe storm,
Terrorist attack, Civil unrest/riots, Landslide, Industrial accident
• Mechanical failure e.g. Power outage, Hardware failure, Network
outrage, Environnemental controls failure, Construction accident
• Non-malicious person e.g. Uninformed employee, Uninformed user
• Malicious person e.g. "Hacker, cracker", Computer criminal,
Industrial espionage, Government sponsored espionage, Social
engineering, Disgruntled current employee, Dishonest employee
(bribed or victim of blackmail), Malicious mobile code
12. The Process of Risk Management
Identify vulnerabilities
For each asset, are there vulnerabilities that can be exploited by the
threat?
• Physical e.g. Unlocked doors, Unlocked windows, Walls susceptible
to physical assault, Interior walls do not completely seal the room at
both the ceiling and floor
• Hardware e.g. Missing patches, Outdated firmware, Misconfigured
systems, Systems not physically secured, Management protocols
allowed over public interfaces
• Software e.g. Out of date antivirus software, Missing
patches, Poorly written applications, Deliberately placed
weaknesses, Configuration errors
13. The Process of Risk Management
Identify vulnerabilities
• Communications e.g. Unencrypted network protocols, Connections
to multiple networks, Unnecessary protocols allowed, No filtering
between network segments
• Human e.g. Poorly defined procedures, Stolen credentials
14. The Process of Risk Management
Determine risk probability
For each asset/threat/vulnerability combination, determine the
probability of the specific risk materializing:
15. The Process of Risk Management
Determine risk impact
For each asset/threat/vulnerability combination, consider the business
impact should the risk materialize: (to be determined per organization)
16. The Process of Risk Management
Identify controls
For each risk with a significant risk rating, identify the existing controls
and mitigating factors that reduce the likelihood and impact ratings.
Control examples (from ISO27001 Annex A):
• Physical security controls e.g. Secure areas, Equipment security
• IT operations management controls e.g. Network security
management, Data backup, Media handling, Antimalware,
Vulnerability management, Auditing/monitoring
• Access controls e.g. access management, O/S access
controls, application access controls, network access
controls, remote access controls
17. The Process of Risk Management
Identify controls
• Secure development controls e.g. security requirements, data
integrity controls, security design, security testing
• Business continuity planning
• Employee security controls e.g. Joiners screening, Terms &
Conditions, security training , disciplinary procedures, leavers
access termination, return of assets
18. Risk Identification
Elements of Risk Assessment
Risk Owner Risk Analysis
Asset Threat Vulnerability Impact Likelihood
Risk =Impact + Likelihood
19. Assets – What do we protect
Examples:
1. Hardware
2. Software
3. Information (electronic,paper,etc.)
4. Infrastructure
5. People
6. Etc.
20. Threats – What can happen
Examples:
1. Fire
2. Earthquake
3. Computer viruses
4. Bomb threat
5. Equipment malfunction
6. Key people leaving the company
21. Vulnerabilities –Why that can happen
Examples:
1. Lack of fire –extinguishing system
2. Lack of business continuity plans
3. Lack of anti-virus software's
4. Lack of incident response procedures
5. Obsolete equipment
6. Lack of replacement