ISO 27005 Risk Assessment

Risk Assessment as per ISO 27005

Presented by Dharshan Shanthamurthy,
Risk Assessment Evangelist
WWW.SMART‐RA.COM

SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.

What is Risk Assessment?
What is Risk Assessment?
• NIST SP 800‐30
Risk Assessment is the analysis of threats in conjunction with
vulnerabilities and existing controls.
l biliti d i ti t l
• OCTAVE
A Risk Assessment will provide information needed to make
risk management decisions regarding the degree of security
remediation.
remediation
• ISO 27005
Risk Assessment = Identification, Estimation and
Risk Assessment Identification Estimation and
Evaluation

Why Risk Assessment?
Regulatory Compliance
Compliance Risk Assessment Requirement
Standard
St d d
PCI DSS Formal and structured risk assessment based on methodologies like ISO 27005,
Requirement NIST SP 800‐30, OCTAVE, etc.
12.1.2
12 1 2
HIPAA Section Conduct an accurate and thorough assessment of the potential risks and
164.308(a)(1) vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information held by the covered entity.
protected health information held by the covered entity
FISMA 3544 Periodic testing and evaluation of the effectiveness of information security
policies, procedures, and practices, to be performed at least annually.

ISO 27001 Clause Risk assessments should identify risks against risk acceptance criteria and
4.1 organizational objectives. Risk assessments should also be performed
periodically to address changes in the security requirements and in the risk
situation.
GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……

Why Risk Assessment?
y
Business Rationale
Function Explanation
Return on Structured RA Methodology follows a systematic and pre‐defined
Investment approach, minimizes the scope of human error, and emphasizes
process driven, rather than human driven activities.
process driven rather than human driven activities

Budget Allocation Assists in controls cost planning and justification

Controls Cost and effort optimization by optimizing controls selection and
implementation

Efficient Resource optimization by appropriate delegation of actions related to
utilization of
utilization of controls implementation.
controls implementation
resources

What is IS-RA?
IS RA?
Risk assessment is the cornerstone of any information
security program, and it is the fastest way to gain a
complete understanding of an organization's security
profile – its strengths and weaknesses its vulnerabilities
weaknesses,
and exposures.

“IF YOU CAN’T MEASURE IT

…YOU CAN’T MANAGE IT!”
YOU

Reality Check
Reality Check
• ISRA– a need more than a want
• Each organization has their own ISRA
Each organization has their own ISRA
• ISRA learning curve
• Cumbersome – 1000 assets, 20 worksheets
• Two months efforts
Two months efforts
• Complicated report

Exercise
• Threat Scenarios
• Threat Profiles to be filled.
Threat Profiles to be filled.

Risk Assessment reference points
• OCTAVE
• NIST SP 800‐30
• ISO 27005
• COSO
• Risk IT
• ISO 31000
• AS/NZS 4360
• FRAP
• FTA
• MEHARI

ISO 27005 Introduction
ISO 27005 Introduction
• ISO 27005 i
ISO 27005 is an Information Security Risk Management guideline.
I f ti S it Ri k M t id li

• Lays emphasis on the ISMS concept of ISO 27001: 2005.

• Drafted and published by the International Organization for
Standardization (ISO) and the International Electrotechnical
Standardization (ISO) and the International Electrotechnical
Commission (IEC)

• Provides a RA guideline and does not recommend any RA
Provides a RA guideline and does not recommend any RA
methodologies.

• Applicable to organizations of all types.
f

ISO 27005 Workflow
ISO 27005 Workflow
• Advocates an iterative approach
pp
to risk assessment

• Aims at balancing time and
Aims at balancing time and
effort with controls efficiency in
mitigating high risks

• Proposes the Plan‐Do‐Check‐Act
cycle.

Source: ISO 27005 Standard

ISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Information Security Risk Assessment = Risk Analysis +
I f i S i Ri k A Ri k A l i
Risk Evaluation
Risk Analysis:
Risk Analysis:
Risk Analysis = Risk Identification + Risk Estimation

1. Risk Identification
Risk characterized in terms of organizational conditions
Risk characterized in terms of organizational conditions

• Identification of Assets: Assets within the defined scope
• Identification of Threats: Based on Incident Reviewing, Asset
Owners, Asset Users, External threats, etc.

ISO 27005 Risk Assessment Contd.
ISO 27005 Risk Assessment Contd.
• Identification of Existing Controls: Also check if the controls are working
Identification of Existing Controls: Also check if the controls are working
correctly.
• Identification of Vulnerabilities: Vulnerabilities are shortlisted in
organizational processes, IT, personnel, etc.
• Identification of Consequences: The impact of loss of CIA of assets.

2. Risk Estimation

– Specifies the measure of risk.

• Qualitative Estimation
Qualitative Estimation
• Quantitative Estimation

Risk Evaluation:
Risk Evaluation:
• Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk
Acceptance Criteria.

ISO 27005 RA Workflow

Step 1 Step 2 Step 3 Step 4
General
General Risk Analysis:
Risk Analysis:
Description of Risk Analysis:
Risk Risk Evaluation
ISRA Risk Estimation
Identification

Step 1
General
Risk Analysis: Risk
Risk Analysis: Risk Risk Analysis: Risk
Risk Analysis Risk
Description of Identification Estimation
Risk Evaluation

ISRA

1. General Description of ISRA

Identify, Describe
d f b Assessed risks
d ik
Basic Criteria
(quantitatively or prioritized according to
Scope and Boundaries
qualitatively) and Risk Evaluation
Organization for ISRM
g
Prioritize Risks
P i iti Ri k Criteria.
C it i

Step 2
Risk Analysis:
General Description
General Description Risk Analysis: Risk
Risk Analysis Risk
of ISRA Risk
Ri k Estimation
Risk Evaluation
Identification

2. Risk Analysis: Risk Identification
Identification of Assets

Scope and Boundaries
S d d i
List of Assets.
Asset owners
Assets are defined List of associated
Asset Location
business processes.
p
Asset function
A t f ti

Step 2
Risk Analysis:
General Description
Risk Analysis Risk
of ISRA Risk
Ri k Estimation
Risk Evaluation
Identification

Identification of Threats

Threat Information
Threat Information
from • Threats
• Review of Incidents Threats are defined • Threat source
• Asset Owners • Threat type
yp
• Asset Users, etc.

Step 2
Risk Analysis:
General Description
Risk Analysis Risk
of ISRA Risk
Ri k Estimation
Risk Evaluation
Identification

Identification of Existing Controls

• Existing and
Existing and
• Documentation of planned controls
Existing and planned
controls • Implementation
controls are defined
• RTP status
• Usage status

Step 2
Risk Analysis:
General Description
Risk Analysis Risk
of ISRA Risk
Ri k Estimation
Risk Evaluation
Identification

Identification of Vulnerabilities

• Vulnerabilities related
Vulnerabilities related
• Identified Assets
d ifi d
to assets, threats,
• Identified Threats Vulnerabilities are
controls.
• Identified Existing identified
• Vulnerabilities not
Controls
C t l
related to any threat.

Step 2
Risk Analysis:
General Description
Risk Analysis Risk
of ISRA Risk
Ri k Estimation
Risk Evaluation
Identification

Identification of Consequences

• Incident scenarios
Incident scenarios
• Assets and business
db i
with their
processes The impact of the loss
consequences related
• Threats and of CIA is identified
to assets and
vulnerabilities
l biliti
business processes

Step 3
Risk Analysis:
General Description
Risk Analysis: Risk
of ISRA Identification Risk
Ri k Risk Evaluation
Estimation

3. Risk Analysis: Risk Estimation
Risk Estimation Methodologies

(a) Qualitative Estimation: High, Medium, Low
( ) Q lit ti E ti ti Hi h M di L
( )
(b) Quantitative Estimation: $, hours, etc.

Step 3
Risk Analysis:
General Description
Risk Analysis: Risk
Estimation

Assessment of consequences

• Assets and business
Assets and business Assessed consequences
Assessed consequences
The business impact
h b
processes of an incident scenario
from information
• Threats and expressed in terms of
security incidents is
vulnerabilities p
assets and impact
assessed.
d
• Incident scenarios criteria.

Step 3
Risk Analysis:
General Description
Risk Analysis: Risk
Estimation

Level of Risk Estimation

• Incident scenarios
with their Level of risk is
l f k
consequences estimated for all List of risks with value
• Their likelihood relevant incident levels assigned.
(quantitative or scenarios
i
qualitative).

Step 4

General Description
Risk Analysis: Risk Risk Analysis: Risk
Risk Analysis: Risk Risk
Risk
of ISRA Identification Estimation
Evaluation

Level of Risk Estimation

Risks prioritized
Risks prioritized
Level of risk is
l f k
• Risks with value levels according to risk
compared against risk
assigned and risk evaluation criteria in
evaluation criteria and
evaluation criteria. relation to the incident
risk acceptance criteria
ik t it i
scenarios.

Summary
• Keep it Simple and Systematic
• Comprehensive
• Risk sensitive culture in the organization.
• Drive security from a risk management
p p
perspective, rather only a compliance
, y p
perspective.
• H l RA t h l
Help RA to help you…

Questions?

Be a Risk Assessment Evangelist!
Be a Risk Assessment Evangelist!
IS‐RA Forum on Linkedin
SMART‐RA Forum on Linkedin
SMART RA Forum on Linkedin

Dharshan Shanthamurthy,
E‐mail: dharshan.shanthamurthy@sisa.in
y
Phone: +91‐99451 22551

ISO 27005 Risk Assessment

More Related Content

What's hot

Viewers also liked

Similar to ISO 27005 Risk Assessment

Recently uploaded

ISO 27005 Risk Assessment