SlideShare a Scribd company logo

ISO 27005 Risk Assessment

S
Smart Assessment

What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.

TechnologyBusinessEconomy & Finance
1 of 25
Download to read offline
Risk Assessment as per ISO 27005 Presented by Dharshan Shanthamurthy, Risk Assessment Evangelist  WWW.SMART‐RA.COM SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
What is Risk Assessment? What is Risk Assessment? • NIST SP 800‐30 Risk Assessment is the analysis of threats in conjunction with  vulnerabilities and existing controls. l biliti d i ti t l • OCTAVE A Risk Assessment will provide information needed to make  risk management decisions regarding the degree of security  remediation.  remediation • ISO 27005  Risk Assessment = Identification, Estimation and  Risk Assessment Identification Estimation and Evaluation
Why Risk Assessment? Regulatory Compliance Compliance  Risk Assessment Requirement Standard St d d PCI DSS  Formal and structured risk assessment based on methodologies like ISO 27005,  Requirement  NIST SP 800‐30, OCTAVE, etc. 12.1.2  12 1 2 HIPAA Section  Conduct an accurate and thorough assessment of the potential risks and  164.308(a)(1)  vulnerabilities to the confidentiality, integrity, and availability of electronic  protected health information held by the covered entity. protected health information held by the covered entity FISMA 3544 Periodic testing and evaluation of the effectiveness of information security  policies, procedures, and practices, to be performed at least annually. ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and  4.1 organizational objectives. Risk assessments should also be performed  periodically to address changes in the security requirements and in the risk  situation. GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
Why Risk Assessment? y Business Rationale Function Explanation Return on  Structured RA Methodology follows a systematic and pre‐defined  Investment approach, minimizes the scope of human error, and emphasizes  process driven, rather than human driven activities. process driven rather than human driven activities Budget Allocation Assists in controls cost planning and justification Controls  Cost and effort optimization by optimizing controls selection and  implementation Efficient  Resource optimization by appropriate delegation of actions related to  utilization of  utilization of controls implementation. controls implementation resources
What is IS-RA? IS RA? Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses its vulnerabilities weaknesses, and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!” YOU
Reality Check Reality Check • ISRA– a need more than a want • Each organization has their own ISRA  Each organization has their own ISRA • ISRA learning curve • Cumbersome – 1000 assets, 20 worksheets • Two months efforts  Two months efforts • Complicated report
Exercise • Threat Scenarios • Threat Profiles to be filled. Threat Profiles to be filled.
Risk Assessment reference points • OCTAVE • NIST SP 800‐30 • ISO 27005 • COSO • Risk IT • ISO 31000 • AS/NZS 4360 • FRAP • FTA • MEHARI
ISO 27005 Introduction ISO 27005 Introduction • ISO 27005 i ISO 27005 is an Information Security Risk Management guideline. I f ti S it Ri k M t id li • Lays emphasis on the ISMS concept of ISO 27001: 2005. • Drafted and published by the International Organization for  Standardization (ISO) and the International Electrotechnical Standardization (ISO) and the International Electrotechnical Commission (IEC) • Provides a RA guideline and does not recommend any RA Provides a RA guideline and does not recommend any RA  methodologies. • Applicable to organizations of all types. f
ISO 27005 Workflow ISO 27005 Workflow • Advocates an iterative approach  pp to risk assessment • Aims at balancing time and Aims at balancing time and  effort with controls efficiency in  mitigating high risks • Proposes the Plan‐Do‐Check‐Act  cycle. Source: ISO 27005 Standard
ISO 27005 Risk Assessment ISO 27005 Risk Assessment Information Security Risk Assessment = Risk Analysis +  I f i S i Ri k A Ri k A l i Risk Evaluation Risk Analysis: Risk Analysis: Risk Analysis = Risk Identification + Risk Estimation 1. Risk Identification Risk characterized in terms of organizational conditions Risk characterized in terms of organizational conditions • Identification of Assets: Assets within the defined scope • Identification of Threats: Based on Incident Reviewing, Asset  Owners, Asset Users, External threats, etc.
ISO 27005 Risk Assessment Contd. ISO 27005 Risk Assessment Contd. • Identification of Existing Controls: Also check if the controls are working Identification of Existing Controls: Also check if the controls are working  correctly.  • Identification of Vulnerabilities: Vulnerabilities are shortlisted in  organizational processes, IT, personnel, etc. • Identification of Consequences: The impact of loss of CIA of assets. 2. Risk Estimation – Specifies the measure of risk. • Qualitative Estimation Qualitative Estimation • Quantitative Estimation Risk Evaluation: Risk Evaluation: • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk  Acceptance Criteria.
ISO 27005 RA Workflow Step 1 Step 2 Step 3 Step 4 General  General Risk Analysis:  Risk Analysis: Description of  Risk Analysis:  Risk  Risk Evaluation ISRA Risk Estimation Identification
Step 1 General  Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis Risk Description of  Identification Estimation Risk Evaluation ISRA 1. General Description of ISRA Identify, Describe  d f b Assessed risks  d ik Basic Criteria  (quantitatively or  prioritized according to  Scope and Boundaries qualitatively) and  Risk Evaluation  Organization for ISRM g Prioritize Risks P i iti Ri k Criteria. C it i
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries S d d i List of Assets. Asset owners Assets are defined List of associated Asset Location business processes. p Asset function A t f ti
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Threats Threat Information  Threat Information from  • Threats • Review of Incidents Threats are defined • Threat source • Asset Owners • Threat type yp • Asset Users, etc.
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Existing Controls • Existing and Existing and  • Documentation of  planned controls Existing and planned  controls • Implementation  controls are defined • RTP status • Usage status
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Vulnerabilities • Vulnerabilities related Vulnerabilities related  • Identified Assets d ifi d to assets, threats,  • Identified Threats Vulnerabilities are  controls. • Identified Existing  identified • Vulnerabilities not  Controls C t l related to any threat.
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Consequences • Incident scenarios Incident scenarios  • Assets and business  db i with their  processes The impact of the loss  consequences related  • Threats and  of CIA is identified to assets and  vulnerabilities l biliti business processes
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low ( ) Q lit ti E ti ti Hi h M di L ( ) (b) Quantitative Estimation: $, hours, etc. 
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Assessment of consequences • Assets and business Assets and business  Assessed consequences  Assessed consequences The business impact  h b processes of an incident scenario  from information • Threats and  expressed in terms of  security incidents is  vulnerabilities p assets and impact  assessed. d • Incident scenarios criteria.
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Level of Risk Estimation • Incident scenarios  with their  Level of risk is  l f k consequences  estimated for all  List of risks with value  • Their likelihood  relevant incident  levels assigned. (quantitative or  scenarios i qualitative).
Step 4 General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis: Risk Risk  Risk of ISRA Identification Estimation Evaluation 4.  Risk Analysis: Risk Estimation Level of Risk Estimation Risks prioritized  Risks prioritized Level of risk is  l f k • Risks with value levels  according to risk  compared against risk  assigned and risk  evaluation criteria in  evaluation criteria and  evaluation criteria.  relation to the incident  risk acceptance criteria ik t it i scenarios.
Summary • Keep it Simple and Systematic • Comprehensive • Risk sensitive culture in the organization. • Drive security from a risk management  p p perspective, rather only a compliance  , y p perspective. • H l RA t h l Help RA to help you…
Questions? Be a Risk Assessment Evangelist! Be a Risk Assessment Evangelist! IS‐RA Forum on Linkedin SMART‐RA Forum on Linkedin SMART RA Forum on Linkedin Dharshan Shanthamurthy, E‐mail: dharshan.shanthamurthy@sisa.in  y Phone: +91‐99451 22551

Recommended

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
PECB
 

Recommended

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
PECB
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
Richard Swartzbaugh
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
Life Cycle Engineering
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
Transcendent Group
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
Reza Teynia ISMS, ITSM, MSc
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 

More Related Content

What's hot

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
Richard Swartzbaugh
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
Life Cycle Engineering
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
Transcendent Group
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
Reza Teynia ISMS, ITSM, MSc
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 

What's hot (20)

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 

Viewers also liked

Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
C-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedC-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedaryane
 
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain SecurityCustoms-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Livingston International
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
Steve Bishop
 

Viewers also liked (6)

Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
C-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedC-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updated
 
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain SecurityCustoms-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 

Similar to ISO 27005 Risk Assessment

Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Ahmed Al Enizi
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Smart Assessment
 
Risk management intruduction part 2
Risk management intruduction part 2Risk management intruduction part 2
Risk management intruduction part 2
MEEQAT HOSPITAL
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming WorldDimitrios Stergiou
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
Peter Schellinck
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
AjjuSingh2
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
JIGNESH PADIA
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Global Risk Forum GRFDavos
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
Carahsoft
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone Mad
Ivanti
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 

Similar to ISO 27005 Risk Assessment (20)

Erm
ErmErm
Erm
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
 
Risk management intruduction part 2
Risk management intruduction part 2Risk management intruduction part 2
Risk management intruduction part 2
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming World
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Erm public workshop
Erm public workshopErm public workshop
Erm public workshop
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone Mad
 
Rsc 05
Rsc 05Rsc 05
Rsc 05
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 

ISO 27005 Risk Assessment

  • 1. Risk Assessment as per ISO 27005 Presented by Dharshan Shanthamurthy, Risk Assessment Evangelist  WWW.SMART‐RA.COM SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
  • 2. What is Risk Assessment? What is Risk Assessment? • NIST SP 800‐30 Risk Assessment is the analysis of threats in conjunction with  vulnerabilities and existing controls. l biliti d i ti t l • OCTAVE A Risk Assessment will provide information needed to make  risk management decisions regarding the degree of security  remediation.  remediation • ISO 27005  Risk Assessment = Identification, Estimation and  Risk Assessment Identification Estimation and Evaluation
  • 3. Why Risk Assessment? Regulatory Compliance Compliance  Risk Assessment Requirement Standard St d d PCI DSS  Formal and structured risk assessment based on methodologies like ISO 27005,  Requirement  NIST SP 800‐30, OCTAVE, etc. 12.1.2  12 1 2 HIPAA Section  Conduct an accurate and thorough assessment of the potential risks and  164.308(a)(1)  vulnerabilities to the confidentiality, integrity, and availability of electronic  protected health information held by the covered entity. protected health information held by the covered entity FISMA 3544 Periodic testing and evaluation of the effectiveness of information security  policies, procedures, and practices, to be performed at least annually. ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and  4.1 organizational objectives. Risk assessments should also be performed  periodically to address changes in the security requirements and in the risk  situation. GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
  • 4. Why Risk Assessment? y Business Rationale Function Explanation Return on  Structured RA Methodology follows a systematic and pre‐defined  Investment approach, minimizes the scope of human error, and emphasizes  process driven, rather than human driven activities. process driven rather than human driven activities Budget Allocation Assists in controls cost planning and justification Controls  Cost and effort optimization by optimizing controls selection and  implementation Efficient  Resource optimization by appropriate delegation of actions related to  utilization of  utilization of controls implementation. controls implementation resources
  • 5. What is IS-RA? IS RA? Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses its vulnerabilities weaknesses, and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!” YOU
  • 6. Reality Check Reality Check • ISRA– a need more than a want • Each organization has their own ISRA  Each organization has their own ISRA • ISRA learning curve • Cumbersome – 1000 assets, 20 worksheets • Two months efforts  Two months efforts • Complicated report
  • 7. Exercise • Threat Scenarios • Threat Profiles to be filled. Threat Profiles to be filled.
  • 8. Risk Assessment reference points • OCTAVE • NIST SP 800‐30 • ISO 27005 • COSO • Risk IT • ISO 31000 • AS/NZS 4360 • FRAP • FTA • MEHARI
  • 9. ISO 27005 Introduction ISO 27005 Introduction • ISO 27005 i ISO 27005 is an Information Security Risk Management guideline. I f ti S it Ri k M t id li • Lays emphasis on the ISMS concept of ISO 27001: 2005. • Drafted and published by the International Organization for  Standardization (ISO) and the International Electrotechnical Standardization (ISO) and the International Electrotechnical Commission (IEC) • Provides a RA guideline and does not recommend any RA Provides a RA guideline and does not recommend any RA  methodologies. • Applicable to organizations of all types. f
  • 10. ISO 27005 Workflow ISO 27005 Workflow • Advocates an iterative approach  pp to risk assessment • Aims at balancing time and Aims at balancing time and  effort with controls efficiency in  mitigating high risks • Proposes the Plan‐Do‐Check‐Act  cycle. Source: ISO 27005 Standard
  • 11. ISO 27005 Risk Assessment ISO 27005 Risk Assessment Information Security Risk Assessment = Risk Analysis +  I f i S i Ri k A Ri k A l i Risk Evaluation Risk Analysis: Risk Analysis: Risk Analysis = Risk Identification + Risk Estimation 1. Risk Identification Risk characterized in terms of organizational conditions Risk characterized in terms of organizational conditions • Identification of Assets: Assets within the defined scope • Identification of Threats: Based on Incident Reviewing, Asset  Owners, Asset Users, External threats, etc.
  • 12. ISO 27005 Risk Assessment Contd. ISO 27005 Risk Assessment Contd. • Identification of Existing Controls: Also check if the controls are working Identification of Existing Controls: Also check if the controls are working  correctly.  • Identification of Vulnerabilities: Vulnerabilities are shortlisted in  organizational processes, IT, personnel, etc. • Identification of Consequences: The impact of loss of CIA of assets. 2. Risk Estimation – Specifies the measure of risk. • Qualitative Estimation Qualitative Estimation • Quantitative Estimation Risk Evaluation: Risk Evaluation: • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk  Acceptance Criteria.
  • 13. ISO 27005 RA Workflow Step 1 Step 2 Step 3 Step 4 General  General Risk Analysis:  Risk Analysis: Description of  Risk Analysis:  Risk  Risk Evaluation ISRA Risk Estimation Identification
  • 14. Step 1 General  Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis Risk Description of  Identification Estimation Risk Evaluation ISRA 1. General Description of ISRA Identify, Describe  d f b Assessed risks  d ik Basic Criteria  (quantitatively or  prioritized according to  Scope and Boundaries qualitatively) and  Risk Evaluation  Organization for ISRM g Prioritize Risks P i iti Ri k Criteria. C it i
  • 15. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries S d d i List of Assets. Asset owners Assets are defined List of associated Asset Location business processes. p Asset function A t f ti
  • 16. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Threats Threat Information  Threat Information from  • Threats • Review of Incidents Threats are defined • Threat source • Asset Owners • Threat type yp • Asset Users, etc.
  • 17. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Existing Controls • Existing and Existing and  • Documentation of  planned controls Existing and planned  controls • Implementation  controls are defined • RTP status • Usage status
  • 18. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Vulnerabilities • Vulnerabilities related Vulnerabilities related  • Identified Assets d ifi d to assets, threats,  • Identified Threats Vulnerabilities are  controls. • Identified Existing  identified • Vulnerabilities not  Controls C t l related to any threat.
  • 19. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Consequences • Incident scenarios Incident scenarios  • Assets and business  db i with their  processes The impact of the loss  consequences related  • Threats and  of CIA is identified to assets and  vulnerabilities l biliti business processes
  • 20. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low ( ) Q lit ti E ti ti Hi h M di L ( ) (b) Quantitative Estimation: $, hours, etc. 
  • 21. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Assessment of consequences • Assets and business Assets and business  Assessed consequences  Assessed consequences The business impact  h b processes of an incident scenario  from information • Threats and  expressed in terms of  security incidents is  vulnerabilities p assets and impact  assessed. d • Incident scenarios criteria.
  • 22. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Level of Risk Estimation • Incident scenarios  with their  Level of risk is  l f k consequences  estimated for all  List of risks with value  • Their likelihood  relevant incident  levels assigned. (quantitative or  scenarios i qualitative).
  • 23. Step 4 General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis: Risk Risk  Risk of ISRA Identification Estimation Evaluation 4.  Risk Analysis: Risk Estimation Level of Risk Estimation Risks prioritized  Risks prioritized Level of risk is  l f k • Risks with value levels  according to risk  compared against risk  assigned and risk  evaluation criteria in  evaluation criteria and  evaluation criteria.  relation to the incident  risk acceptance criteria ik t it i scenarios.
  • 24. Summary • Keep it Simple and Systematic • Comprehensive • Risk sensitive culture in the organization. • Drive security from a risk management  p p perspective, rather only a compliance  , y p perspective. • H l RA t h l Help RA to help you…
  • 25. Questions? Be a Risk Assessment Evangelist! Be a Risk Assessment Evangelist! IS‐RA Forum on Linkedin SMART‐RA Forum on Linkedin SMART RA Forum on Linkedin Dharshan Shanthamurthy, E‐mail: dharshan.shanthamurthy@sisa.in  y Phone: +91‐99451 22551