In today’s information economy, the development, exploitation and protection of information and associated assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information and associated assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility. An information security management system (ISMS) that provides “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives”[1] has become a critical corporate discipline, alongside marketing, sales, HR and financial management.
A key corporate governance objective is to ensure that the organisation has an appropriate balance of risk and reward in its business operations and, as a consequence, enterprise risk management (ERM) increasingly provides a framework within which organisations can assess and manage risks in their business plan. The recognition of substantial, strategic risk in information and communication technologies has led to the development of IT governance.[2]
The changing global economy, together with recent corporate and IT governance developments, all provide the context within which organisations have to assess risks to the information assets on which their organisations, and the delivery of their business plan objectives, depend. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment process in relation to identified risks and specific information assets.
Risk assessment is, therefore, the core competence of information security management.
The Introduction (Clause 0) of ISO/IEC 27002:2013 (ISO 27002), the international code of best practice for ISMSs, supports this business- and risk-oriented approach: “Resources employed in implementing controls need to be balanced against the business harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.”[3]
A growing number of organisations are adopting this approach to the management of risk. A number of national or proprietary standards that deal with information security risk management have emerged over the years. They all have much in common. ISO 27001 is the international standard that sets out the requirements for an ISMS and provides an approach to risk management consistent with all other guidance; indeed many of the other frameworks that are available are based on ISO 27001. This approach is also appropriate for organisations complying with the Payment Card Industry Data Security Standard (PCI DSS), and supports compliance with other legal and regulatory requirements, such as the EU’s General Data Protection Regulation (GDPR) and Directive on security of network and information systems (NIS Directive).
Of course, every organisation needs to determine its criteria for accepting risks, and identify the levels of risk it will accept. It is a truism to point out that there is a relationship between the levels of risk and reward in any business. Most businesses, particularly those subject to the Sarbanes-Oxley Act of 2002 and, in the UK, the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and the UK Corporate Governance Code, will want to be very clear about which risks they will accept and which they won’t, the extent to which they will accept risks and how they wish to control them. Management needs to specify its approach, in general and in particular, so that the business can be managed within that context. As we have indicated, risk assessment, as an activity, should be approached within the context of the organisation’s broader ERM framework.
All too often, organisations enter into risk management without considering that the practice must be part of something larger. A risk assessment is not an end in itself: a risk assessment must provide outputs that are useful to the organisation. The goal of a risk assessment methodology must be to effect the organisation’s ISMS.
While ISO 27002 is a code of practice, ISO/IEC 27001:2013 (ISO 27001) is a specification that sets out the requirements for an ISMS. ISO 27001 is explicit in requiring that an information security risk assessment is used to inform the selection of controls.[4] Risk assessment, as we’ve said, is therefore the core competence of information security management.
Organisations that design and implement an ISMS in line with ISO 27001 can have it assessed by a third-party certification body and if, after audit, it is found to be in line with ISO 27001, an accredited certificate of conformity can be issued.[5]
This standard is increasingly seen as offering a practical solution to the growing range of information-related regulatory requirements, as well as helping organisations to more cost-effectively counter the increasingly sophisticated and varied range of information security threats in the modern information economy.[6] As a result, a rapidly growing number of companies around the world are seeking certification to ISO 27001, providing a means of demonstrating to clients and other stakeholders their commitment and intent with regard to information security.
An ISMS developed and based on risk acceptance criteria, and using third-party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. Such an ISMS offers the opportunity to define and monitor service levels internally, as well as in contractor/partner organisations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.
It is becoming increasingly common for ISO 27001 certification to be a prerequisite in service specification procurement documents and, as buyers become more sophisticated in their understanding of the ISO 27001 accredited certification scheme, so they will increasingly set out their requirements more specifically, not only in terms of certification itself but also in respect to the scope of the certification and the level of assurance they require. This rapid maturing in the understanding of buyers is driving organisations to improve the quality of their ISMS.
The level of assurance relates, of course, directly to the risk assessment and management aspects of creating and maintaining an ISO 27001-compliant ISMS. It is this key aspect that ensures that a consistent level of assurance is achieved across all facets of information security within an organisation.
ISO 27001 is a specification for an ISMS. As we have said, it is based on risk assessment, both initially and on an ongoing basis. ISO 27001 goes so far as to specify the requirements that an information security risk management approach must satisfy. While there are many recognised – and valid – approaches to risk assessment, an organisation that wishes to achieve ISO 27001 certification must meet the requirements set out in the Standard itself. There is no room for half measures: either a risk assessment methodology is in line with the requirements of ISO 27001, in which case accredited certification is within reach, or it is not, in which case accredited certification is not achievable.
Chapter 1: Risk management
“Risk”, says NIST,[7] is the “measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impact that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”[8] ISO/IEC 27000:2018 Information security management systems – Overview and vocabulary (ISO 27000) defines risk as the “effect of uncertainty on objectives”, with a subsidiary note stating that “Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence”.
The NIST definition of risk is in line with that used in ISO 27000, and is the first indicator that a risk assessment that will meet the requirements of ISO 27001 will also be in line with the NIST recommendations. The main difference between the NIST and ISO 27000 definitions is that the latter encompasses the possibility of risks having positive consequences.
ISO 27000 has a further note, however, that “Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization”, which retains the focus on risks to information assets reflected in previous versions of the ISO 27000 family of standards, while also encompassing an approach that focuses on scenarios that could occur and cause harm.
BS 7799-3 refers to ISO 27000 for its definitions and its guidance is given on this basis.
All organisations face risks of one sort or another on a daily basis and ISO 27001 expects that an organisation’s information security management policy will align with “the strategic direction of the organization”[9] and that it will be “appropriate to the purpose of the organization”.[10] It is therefore appropriate to consider, briefly, the organisational risk management context.
This is an extract taken from Information Security Risk Management for ISO 27001/ISO 27002, third edition
©IT Governance Publishing Ltd
Protect your information assets with effective risk management
Develop an ISO 27001-compliant risk assessment framework and deliver real, bottom-line business benefits with the new, updated edition of Information Security Risk Management for ISO 27001/ISO 27002.
Drawing on national and international risk assessment best practice, the book covers:
- How to develop and implement a risk assessment in line with ISO 27001;
- Key topics, including risk assessment methodologies, risk management objectives, information security policy and scoping, threats and vulnerabilities, risk treatment and selection of controls; and
- Advice on choosing risk assessment software.
References:
[1] ISO/IEC 27000:2018, Clause 4.2.1 ‘Overview and principles’.
[2] Other books by the same authors discuss these issues in greater detail. See, for instance, IT Governance: An International Guide to Data Security and ISO27001/ISO27002, (Kogan Page, 2019).
[3] ISO/IEC 27002:2013, Clause 0.2 ‘Information security requirements’.
[4] A ‘control’ is a measure that modifies a risk. See ISO 27000:2018, Clause 2.16.
[5] There is a full description of the process of accredited certification in IT Governance: An International Guide to Data Security and ISO27001/ISO27002 by Alan Calder and Steve Watkins (Kogan Page, 2019).
[6] See The Case for ISO 27001:2013 by Alan Calder (ITGP, 2013) for detailed coverage of the business, contractual and regulatory reasons that should lead an organisation to consider developing an ISMS in line with ISO 27001.
[7] The National Institute of Standards and Technology is the US federal agency that develops and promotes measurement, standards and technology.
[8] NIST SP 800-30.
[9] ISO 27001, Clause 5.1 a).
[10] ISO 27001, Clause 5.2 a).
