This document discusses the importance of establishing a baseline between a relying party and their suppliers when the relying party is seeking security assurances from the suppliers. It provides examples of how a community of relying parties and suppliers can work to establish a common understanding of risks and threats. Specifically, it describes how a card protection industry established a common threat assessment that suppliers would use in their ISO27001 risk assessments to help ensure consistent risk identification and analysis across the community. The document advocates that open engagement between relying parties and suppliers is important to understand how each views and assesses risks.
16. INFORMED RISK DECISIONS
Helping enterprises make reasoned cyber risk decisions
Example of Applying
Assurance Selection
Questions
Service Provision to the UK Payments
Industry the Card Protection
Agencies Accreditation Scheme
17. INFORMED RISK DECISIONS
Helping enterprises make reasoned cyber risk decisions
The Card Protection Business Model
Card Protection Agencies
Cardholders
Card Issuers
Issue cards
1
Registers a Card2
Loses the Card 3
Reports Loss
4
Reports Loss
5
Reissues card
6
What Information are we sharing and why is
it valuable, and what could threaten it and
how?
18. INFORMED RISK DECISIONS
Helping enterprises make reasoned cyber risk decisions
Reasons for choosing ISO27001
Previous assurance processes were entirely in-house
A major commitment and becoming increasingly expensive to
resource and maintain currency
A data warehousing problem, rich with IT and IT security
issues
Need to be able to assess a small number of entities against
a common framework
Recognised that there was a wide variety of implementation
strategies
Need for a good industry accepted best practice assurance
method
Need to change the culture and mindset of a number of the
existing participants
25. INFORMED RISK DECISIONS
Helping enterprises make reasoned cyber risk decisions
The Community Threat Assessment
TheAssets Consequencesof
Compromise
AssetValue
Sources Attack
Methods
Threats
ThreatAssessment
Fraud
Identity Theft
Crimes against the
individual
Reputational
damage
Personal data of
any form,
particularly
payment card data
The systems used
to process, store
and protect data
The reputation of
card issuers and
processors
Outsiders and
Insiders
Those out for
gain and profit
Those out to
harm the
individual
Those out to
harm the industry
Electronic or Information
Security Threat
Hacking
Malware
Keystroke loggers
Device Insertion
Deception and Phishing
Members of staff and the
technology they own
41. ISO 27001 Training Courses
ISO/IEC 27001 Introduction
1 Day Course
ISO/IEC 27001 Foundation
2 Days Course
ISO/IEC 27001 Lead Implementer
5 Days Course
ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/iso-iec-27001-training-courses| www.pecb.com/events