ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018

1. ISO 27001:2013
Introduction
STUDY CASE
IGN Mantra, M.Kom, MM, CEI
ISO 27001:2013 Lead Auditor

2. What is information risk management?
• Management implies someone proactively, deliberately, explicitly and
systematically identifying, assessing, evaluating and dealing with risks
on an ongoing basis (coping with any changes), along with related
governance aspects such as direction, control, authorization and
resourcing of the process, risk treatments etc.;
• Risk, in this context, is the potential occurrence of events or incidents
that materially harm the organization’s interests;
• Information is the valuable meaning or knowledge or understanding
that we derive from data such as the content of computer files,
paperwork, conversations, expertise, intellectual property and so
forth.

3. The process diagram sums it up

4. The first stage of the process is to Identify potential
information risks. Several factors or information sources feed-
in to the Identify step, including:
• Vulnerabilities are the inherent weaknesses within our facilities, technologies, processes
(including information risk management itself!), people and relationships, some of which
are not even recognized as such;
• Threats are the actors (insiders and outsiders) and natural events that might
cause incidents if they acted on vulnerabilities causing impacts;
• Assets are, specifically, information assets, in particular valuable information content but
also, to a lesser extent, the storage vessels, computer hardware etc. many of which are
relatively cheap commodities these days;
• Impacts are the harmful effects or consequences of incidents and calamities affecting
assets, damaging the organization and its business interests, and often third parties;
• Incidents range in scale from minor, trivial or inconsequential events up to calamities,
disasters and outright catastrophes;
• Advisories, standards etc. refers to relevant warnings and advice put out by myriad
organizations such as CERT, the FBI, ISO/IEC, journalists, technology vendors plus
information risk and security professionals (our social network).

5. “We are just starting our ISO27k program. Which
information risk analysis method/s could we use?”
1. Analog Risk Assessment (ARA) is a deceptively simple creative method to analyze, visualize, report,
compare and consider risks subjectively according to their relative probabilities of occurrence and
impacts. It uses Probability Impact Graphs (PIGs) to represent disparate risks on a directly comparable
basis;
2. Calabrese’s Razor is a method developed by Chris Calabrese to help the Center for Internet Security
prioritize technical controls in their security configuration guides, though it has wider application. It helps
to evaluate and compare the costs and benefits for each control on an even footing. An interesting
approach;
3. COBIT from ISACA provides a comprehensive model guiding the implementation of sound IT governance
processes/systems, including to some extent information security controls. It is widely used by SOX and IT
auditors;
4. COSO ERM (the Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk
Management framework), published in 2004, is a widely used general structure/approach to managing all
forms of organizational risk;
5. Delphi is essentially a forecasting technique involving successive rounds of anonymous predictions with
consolidation and feedback to the participants between each round. It can be applied to predicting
information risks with no less chance of success than the other methods shown here;

6. 6. DIY (Do It Yourself) methods - see below;
7. FMEA (Failure Modes and Effects Analysis) is a generic method commonly used in engineering design. It
focuses on examining the possible ways in which a system (or process or whatever) might possibly fail,
impacting the organization (or the users or customers or managers or whomever). The specific causes of
such failures are de-emphasized compared to other risk analysis methods: the focus is on identifying and
mitigating the most harmful effects regardless of cause, given that, in complex systems, it is generally
impossible to determine all possible failure scenarios exhaustively;
8. The UK’s Institute of Risk Management (IRM), Association of Insurance and Risk Managers (AIRMIC) and
ALARM, The National Forum for Risk Management in the Public Sector, jointly produced A Risk
Management Standard back in 2002. It encompasses all forms of organizational risk, not just information
risk, using terms defined in ISO Guide 73;
9. ISO 31000 offers guidance on the principles and implementation of risk management in general (not IT or
information security specific). ISO 31000 is intended to provide a consensus general framework for
managing risks in areas such as finance, chemistry, environment, quality, information security etc.;
10. ISO/IEC 27005 isn’t really a risk assessment or management method as such, more of a meta-method, an
approach to choosing methods that are appropriate for your organization. The standard is seriously out of
date and cannot be recommended unless/until it is updated to reflect the current ISO27k standards;

7. 11. Mehari is a 100% free open-source (Creative Commons) risk analysis and management method primarily in French, with
translations. It was originally developed by CLUSIF (Club de la Sécurité de l'Information Français) and CLUSIQ. It adopted
terminology and concepts from, and extends, ISO/IEC 27005, for example mapping risk questionnaires to ISO/IEC 27001/27002
controls. There are tools for different usages and sizes of organizations;
12. NIST SP 800-30 “Risk Management Guide for Information Technology Systems” is a free PDF download from NIST.
An accompanying guideline is also available and also free.
13. NIST SP 800-39 “Managing Risk from Information Systems - An Organizational Perspective” is another freebie from NIST, paid-
for by U.S. tax-payers;
14. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is CERT’s risk-based strategic assessment and
planning technique for security. It takes a business rather than technology-centric view of security risks. OCTAVE Allegro is, as
the name suggests (to musicians if not the unfortunate owners of possibly the worst British car ever), a quick version of
OCTAVE;
15. Risk IT from IT Governance Institute/ISACA is similar in style to COBIT and Val IT but focuses on risk;
16. Stochastic modeling methods using Markov chains, stochastic Petri nets, Monte Carlo simulation, Bayesian or other statistical
techniques and probability theory are commonly applied to estimate uncertain risk values from incomplete data in the
financial industry. They have some potential for systematically examining information risks, but are uncommon in practice;
17. Verinice is a free open-source tool supporting the BSI IT-Grundschutz standards.

8. “How do we choose a risk analysis tool or
method?”
• Quantitative or qualitative
• Scope
• Scaleability
• Maintainability and support
• Usability
• Value

9. Add a ‘weighting’ column to your spreadsheet and fill it with a
series of percentages that reflect the relative desirability of all
criteria and add up to 100%
• Add columns in which you will enter evaluation scores for each
tool/criterion combination e.g.:
• 0 = “hopeless”: tool/method does not satisfy this criterion at all;
• 1 = “poor”: tool/method hardly satisfies this criterion;
• 2 = “OK”: tool/method barely satisfies this criterion;
• 3 = “good”: tool/method fully satisfies this criterion;
• 4 = “outstanding”: tool/method exceeds our expectations with additional
useful/valuable functions.