Information Security Management System

(ISMS)
ISO27001 Risk Assessment Approach
March 2012
 2
Security Risk Assessment
Overview
• The first step in risk assessment is the identification of all
information assets in the organisation - i.e. of all assets which may
Identify & value affect the security of information in the organisation.
assets
• A value is assigned to each asset in terms of the worst-case impact
the loss of confidentiality, integrity or availability of the asset may
have on the organisation. This acts as an asset prioritisation
Identify threats mechanism, with only higher-value assets being taken through to
the next stage.
• The next step is to identify all threats and vulnerabilities associated
Identify with the higher-value assets identified. Every asset may be
vulnerabilities
associated with several threats, and every threat may be associated
with several vulnerabilities.
Assess inherent • The probability of threats exploiting the vulnerabilities is then
risk assessed, along with the impact should this occur, based on the
assumption that no controls are in place. From this assessment, a
pre-control (or inherent) risk score is calculated. Risk with a
Identify
controls medium to high score is then taken on to the next step.
• Existing controls or mitigating factors which reduce the impact or
probability of each risk is identified, and the impact and probability
Determine scores are reassessed to reflect the impact of these controls
residual risk
• Risks with scores above the acceptable risk threshold will then be
raised on the Information Security risk register, where mitigating
Feed into risk actions will be tracked by the Information Security team, and
treatment plan reported and escalated.
 3
Asset identification
Assets are defined as anything which may affect confidentiality, integrity
and availability of information in the organisation
Identify & value
assets
• Information e.g. Human resources data, Financial data, Marketing
data, Employee passwords, Source code, System
documentation, Intellectual property, Data for regulatory
Identify threats
requirements, Strategic plans, Employee business contact
data, Employee personal contact data, Purchase order
data, Network infrastructure design, Internal Web sites
Identify
vulnerabilities • Technology e.g. Servers, Desktop
computers, Laptops, Tablet, Smart phones, Server application
software, End-user application software, Development
Assess inherent tools, Routers, Network switches, PBXs, Removable media, Power
risk supplies, Uninterruptible power supplies
• Services e.g. E-mail/scheduling, Instant messaging, Active Directory
Identify
directory service, Domain Name System (DNS), Dynamic Host
controls Configuration Protocol (DHCP), Enterprise management tools, File
sharing, Storage, Dial-up remote access, Telephony Virtual Private
Networking (VPN) access , Collaboration services (for
Determine example, Microsoft SharePoint)
residual risk
• People e.g. Subject matter
experts, administrators, developers, third party support, end-users
Feed into risk
treatment plan
 4
Asset Valuation

The asset is valued in terms of the impact of total loss of the asset in
terms of confidentiality, integrity or availability. Each asset will given a
Identify & value
assets High, Medium or Low rating as its value. Assets considered High and
Medium will be

Identify threats Asset

Consequence of Loss of CIA
Value

Loss of confidentiality, availability or integrity has considerable

Identify
vulnerabilities High and immediate impact on the organisation's cash flow,
operations, legal or contractual obligations, or its reputation.

Assess inherent
risk Loss of confidentiality, availability or integrity incurs additional
Medium costs and has a low or moderate impact on legal or contractual
obligations, or the organisation's reputation.
Identify
controls
Loss of confidentiality, availability or integrity does not affect the
Low organisation's cash flow, operations, legal or contractual
Determine obligations, or its reputation.
residual risk

Feed into risk

treatment plan
 5
Identify Threats

For each asset, what can impact its confidentiality, integrity, or

availability?
Identify & value
assets
• Catastrophic incidents e.g. Fire, Flood, Earthquake, Severe storm,
Terrorist attack, Civil unrest/riots, Landslide, Industrial accident
Identify threats
• Mechanical failure e.g. Power outage, Hardware failure, Network
outage, Environmental controls failure, Construction accident
Identify
vulnerabilities
• Non-malicious person e.g. Uninformed employee, Uninformed user

Assess inherent • Malicious person e.g. "Hacker, cracker", Computer criminal,

risk
Industrial espionage, Government sponsored espionage, Social
engineering, Disgruntled current employee, Disgruntled former
Identify employee, Terrorist, Negligent employee, Dishonest employee
controls (bribed or victim of blackmail), Malicious mobile code

Determine
residual risk

Feed into risk

treatment plan
 6
Identify Vulnerabilities

For each asset, are there vulnerabilities that can be exploited by the
threat?
Identify & value
assets
• Physical e.g. Unlocked doors, Unlocked windows, Walls susceptible
to physical assault, Interior walls do not completely seal the room at
Identify threats both the ceiling and floor

• Hardware e.g. Missing patches, Outdated firmware, Misconfigured

Identify systems, Systems not physically secured, Management protocols
vulnerabilities allowed over public interfaces

Assess inherent • Software e.g. Out of date antivirus software, Missing

risk patches, Poorly written applications, Deliberately placed
weaknesses, Configuration errors

Identify
controls • Communications e.g. Unencrypted network protocols, Connections
to multiple networks, Unnecessary protocols allowed, No filtering
between network segments
Determine
residual risk
• Human e.g. Poorly defined procedures, Stolen credentials

Feed into risk

treatment plan
 7
Determine Risk Probability

For each asset/threat/vulnerability combination, determine the

probability of the specific risk materialising:
Identify & value
assets
Probability Guidance
• History of regular occurrence.
Identify threats • The event will occur (recur)
Certain
• No special skills or determination required; information
asset easily available.
Identify
vulnerabilities
Likely • The event will occur (recur) in most circumstances

Assess inherent • Has occurred in the past.

risk • The event may well occur (recur) at some time
Possible
• No special skills required except for time and
determination.
Identify
controls
Unlikely • The event could occur (recur) at some time

Determine • No history of occurrence.

residual risk • The event may only happen in exceptional circumstances
Rare
• High level of technical or social engineering skill and
determination required.
Feed into risk
treatment plan
 8
Determine Risk Impact

For each asset/threat/vulnerability combination, consider the business

impact should the risk materialise: (to be determined per organisation)
Identify & value
assets
Business Impact
Characteristics
Rating
Identify threats For example: Service disruption / failure – > 1 week; Direct financial
loss – > 50% PBT / > 10% fall in share price; Business/ reputation
Catastrophic impact – e.g. legal action (including custodial sentence) / extensive
external media attention / failure to achieve 1 or more corporate
Identify objective
vulnerabilities
For example: Service disruption / failure – 1-5 days; Direct financial
loss – 15-50% PBT; Health & safety incident – e.g. fatality /
Major
Assess inherent permanent disability; Business/ reputation impact – e.g. legal action /
risk national attention from media or regulators

For example: Service disruption / failure – 1 day; Direct financial loss

– 5-15% PBT; Health & safety incident – e.g. fractures / time off;
Identify Moderate
controls Business/ reputation impact – e.g. legal action / local media or
regulatory attention

For example: Service disruption – <1 day; Direct financial loss – < 5%
Determine Minor PBT; Health & safety incident – e.g. cuts / bruises; Business /
residual risk reputation impact – e.g. complaint or legal action

For example: Service disruption – none / minor; Direct financial loss

Feed into risk Insignificant – negligible; Health & safety incident – none / very minor; Business /
treatment plan reputation impact- systems could be improved
 9
Security Risk Assessment
Overview
The inherent risk score is calculated based on the likelihood and impact
values selected in the previous section. (to be determined per
Identify & value
assets organisation)
Medium
Asset Value Likelihood
Identify threats Rare Unlikely Possible Likely Certain
Insignificant 1 2 2 3 4
Impact Minor 2 3 5 6 8
Identify
vulnerabilities Moderate 2 5 7 9 11
Major 3 6 9 12 15
Catastrophic 4 8 11 15 19
Assess inherent
risk

High Asset
Identify Value Likelihood
controls
Rare Unlikely Possible Likely Certain
Insignificant 1 2 3 4 5
Determine
Minor 2 4 6 8 10
Impact

residual risk
Moderate 3 6 9 12 15
Major 4 8 12 16 20
Feed into risk
treatment plan Catastrophic 5 10 15 20 25
 10
Identify controls

For each risk with a significant risk rating, identify the existing controls
and mitigating factors that reduce the likelihood and impact ratings.
Identify & value
assets
Control examples (from ISO27001 Annex A):
• Physical security controls e.g. Secure areas, Equipment security
Identify threats
• IT operations management controls e.g. Network security
management, Data backup, Media handling, Anti-
Identify malware, Vulnerability management, Auditing/monitoring
vulnerabilities

• Access controls e.g. access management, O/S access

Assess inherent controls, application access controls, network access
risk controls, remote access controls

Identify • Secure development controls e.g. security requirements, data

controls integrity controls, security design, security testing

Determine
• Business continuity planning
residual risk
• Employee security controls e.g. Joiners screening, Terms &
Conditions, security training , disciplinary procedures, leavers
Feed into risk
treatment plan access termination, return of assets
 11
Determine post control risk

Taking into account the effect of the controls and mitigating factors
identified, reassess the probability and impact scores to determine the
Identify & value
assets post-control risk score. In all likelihood, a number of risks will now
score below the ‘significant’ risk threshold.

Identify threats Where risks still have an above significant score, these will be raised
on the Information Security risk register which will be created as part of
the Group IT ISMS implementation.
Identify
vulnerabilities Risk treatment plans will then be recorded and tracked as part of the
Information Security risk management process.
Assess inherent
risk

Identify
controls

Determine
residual risk

Feed into risk

treatment plan