Documente Academic
Documente Profesional
Documente Cultură
(ISMS)
ISO27001 Risk Assessment Approach
March 2012
2
Security Risk Assessment
Overview
• The first step in risk assessment is the identification of all
information assets in the organisation - i.e. of all assets which may
Identify & value affect the security of information in the organisation.
assets
• A value is assigned to each asset in terms of the worst-case impact
the loss of confidentiality, integrity or availability of the asset may
have on the organisation. This acts as an asset prioritisation
Identify threats mechanism, with only higher-value assets being taken through to
the next stage.
• The next step is to identify all threats and vulnerabilities associated
Identify with the higher-value assets identified. Every asset may be
vulnerabilities
associated with several threats, and every threat may be associated
with several vulnerabilities.
Assess inherent • The probability of threats exploiting the vulnerabilities is then
risk assessed, along with the impact should this occur, based on the
assumption that no controls are in place. From this assessment, a
pre-control (or inherent) risk score is calculated. Risk with a
Identify
controls medium to high score is then taken on to the next step.
• Existing controls or mitigating factors which reduce the impact or
probability of each risk is identified, and the impact and probability
Determine scores are reassessed to reflect the impact of these controls
residual risk
• Risks with scores above the acceptable risk threshold will then be
raised on the Information Security risk register, where mitigating
Feed into risk actions will be tracked by the Information Security team, and
treatment plan reported and escalated.
3
Asset identification
Assets are defined as anything which may affect confidentiality, integrity
and availability of information in the organisation
Identify & value
assets
• Information e.g. Human resources data, Financial data, Marketing
data, Employee passwords, Source code, System
documentation, Intellectual property, Data for regulatory
Identify threats
requirements, Strategic plans, Employee business contact
data, Employee personal contact data, Purchase order
data, Network infrastructure design, Internal Web sites
Identify
vulnerabilities • Technology e.g. Servers, Desktop
computers, Laptops, Tablet, Smart phones, Server application
software, End-user application software, Development
Assess inherent tools, Routers, Network switches, PBXs, Removable media, Power
risk supplies, Uninterruptible power supplies
• Services e.g. E-mail/scheduling, Instant messaging, Active Directory
Identify
directory service, Domain Name System (DNS), Dynamic Host
controls Configuration Protocol (DHCP), Enterprise management tools, File
sharing, Storage, Dial-up remote access, Telephony Virtual Private
Networking (VPN) access , Collaboration services (for
Determine example, Microsoft SharePoint)
residual risk
• People e.g. Subject matter
experts, administrators, developers, third party support, end-users
Feed into risk
treatment plan
4
Asset Valuation
The asset is valued in terms of the impact of total loss of the asset in
terms of confidentiality, integrity or availability. Each asset will given a
Identify & value
assets High, Medium or Low rating as its value. Assets considered High and
Medium will be
Assess inherent
risk Loss of confidentiality, availability or integrity incurs additional
Medium costs and has a low or moderate impact on legal or contractual
obligations, or the organisation's reputation.
Identify
controls
Loss of confidentiality, availability or integrity does not affect the
Low organisation's cash flow, operations, legal or contractual
Determine obligations, or its reputation.
residual risk
Determine
residual risk
For each asset, are there vulnerabilities that can be exploited by the
threat?
Identify & value
assets
• Physical e.g. Unlocked doors, Unlocked windows, Walls susceptible
to physical assault, Interior walls do not completely seal the room at
Identify threats both the ceiling and floor
Identify
controls • Communications e.g. Unencrypted network protocols, Connections
to multiple networks, Unnecessary protocols allowed, No filtering
between network segments
Determine
residual risk
• Human e.g. Poorly defined procedures, Stolen credentials
For example: Service disruption – <1 day; Direct financial loss – < 5%
Determine Minor PBT; Health & safety incident – e.g. cuts / bruises; Business /
residual risk reputation impact – e.g. complaint or legal action
High Asset
Identify Value Likelihood
controls
Rare Unlikely Possible Likely Certain
Insignificant 1 2 3 4 5
Determine
Minor 2 4 6 8 10
Impact
residual risk
Moderate 3 6 9 12 15
Major 4 8 12 16 20
Feed into risk
treatment plan Catastrophic 5 10 15 20 25
10
Identify controls
For each risk with a significant risk rating, identify the existing controls
and mitigating factors that reduce the likelihood and impact ratings.
Identify & value
assets
Control examples (from ISO27001 Annex A):
• Physical security controls e.g. Secure areas, Equipment security
Identify threats
• IT operations management controls e.g. Network security
management, Data backup, Media handling, Anti-
Identify malware, Vulnerability management, Auditing/monitoring
vulnerabilities
Determine
• Business continuity planning
residual risk
• Employee security controls e.g. Joiners screening, Terms &
Conditions, security training , disciplinary procedures, leavers
Feed into risk
treatment plan access termination, return of assets
11
Determine post control risk
Taking into account the effect of the controls and mitigating factors
identified, reassess the probability and impact scores to determine the
Identify & value
assets post-control risk score. In all likelihood, a number of risks will now
score below the ‘significant’ risk threshold.
Identify threats Where risks still have an above significant score, these will be raised
on the Information Security risk register which will be created as part of
the Group IT ISMS implementation.
Identify
vulnerabilities Risk treatment plans will then be recorded and tracked as part of the
Information Security risk management process.
Assess inherent
risk
Identify
controls
Determine
residual risk