HOW TO CONDUCT A RISK ASSESSMENT

Conducting a cybersecurity risk assessment

Presented by:
• Alan Calder, CEO and Founder
• IT Governance USA Inc.
• March 20, 2018
Introduction
• Alan Calder
• Founder – IT Governance
• The single source for everything to do with IT governance, cyber risk
management, and IT compliance
• IT Governance: An International Guide to Data Security and ISO 27001/ISO
27002, 6th Edition (Open University textbook)
• www.itgovernanceusa.com

Copyright IT Governance Ltd – v 0.1

IT Governance: GRC one-stop-shop

Copyright IT Governance Ltd - v 0.1

Today’s Discussion

• Information security versus cybersecurity

• Effective information security risk management and ISO 27001
• The five-step approach to conducting a risk assessment
• Choosing appropriate risk treatment options
• Unpacking the key controls necessary for effective cybersecurity
• Reviewing, monitoring, and reporting on the risk assessment

Copyright IT Governance Ltd – v 0.1

Cybersecurity or information security?

Cybersecurity consists of Information security describes the

technologies, processes, and protection of information and
measures that are designed to information systems from
protect individuals and organizations unauthorized access, use, disclosure,
from cyber crime. disruption, modification, or
destruction in order to protect the
Effective cybersecurity reduces the confidentiality, integrity, and
risk of a cyber attack through the availability (CIA) of data.
deliberate exploitation of systems,
networks, and technologies. Cybersecurity is usually seen as a
component of information security.

Copyright IT Governance Ltd – v 0.1

Effective infosec risk management and ISO 27001

• ISO 27001 is the international standard that sets out the

specifications of an information security management system (ISMS)
• An ISMS is a best-practice approach to addressing information
security
• It encompasses people, processes, and technology
• The assessment and management of information security risks is at
the core of ISO 27001
• Any robust cybersecurity program should incorporate the
establishment and maintenance of an ISMS
• ISO 27005 = infosec risk management standard (under review)

Copyright IT Governance Ltd – v 0.1

 Why conduct a risk assessment?
• Conducting a risk assessment enables you to identify assets, threats and vulnerabilities
in order to make informed decisions about which controls to use

Assets Threats Vulnerabilities

Advantages of a risk assessment

• Recognize threats
• Prevent potential threats
• Create awareness of the entire team
• Reduce costs and damages
• Create effective policies and procedures

An informed management system

cannot be created without conducting a
risk assessment
The five-step approach to risk assessments

1 2 3 4 5

Establish a Select risk

risk treatment
Identify risks Analyze risks Evaluate risks
management options
framework

Copyright IT Governance Ltd – v 0.1

Establishing a risk management framework

• Top management-driven process

• Formal methodology – consistent, valid, comparable
• Risk assessment method
• Risk ownership
• Risk calculation
• Risk scale – likelihood x impact
• Risk appetite
• Baseline security criteria

Copyright IT Governance Ltd – v 0.1

Risk assessment scale

Likelihood

Impact

Copyright IT Governance Ltd – v 0.1

Identify risks

• People, process, technology risks

• Information assets/asset register
• Consider confidentiality, integrity,
and availability (CIA) of each asset
• Asset owners and risk owners
• Hard copies of information,
electronic files, mobile devices
• Other risks, e.g. intellectual property

Copyright IT Governance Ltd – v 0.1

Analyze risks

• Vulnerability x threat
• Vulnerability = part of an asset
(unpatched software)
• Threat = external to the asset
(criminal hacker)
• Ensure practical, cost-effective
decisions
• Assign impact and likelihood values
• Based on risk criteria

Copyright IT Governance Ltd – v 0.1

Evaluate risks

• Compare each risk against

predetermined levels of
acceptable risk
• Identify highest/most urgent risks
• Prioritize which risks need to be
addressed in which order

Copyright IT Governance Ltd – v 0.1

Select risk treatment options

1 2 3 4

Avoid Modify Share Retain

Copyright IT Governance Ltd – v 0.1

Risk treatment options

• ISO 27001 Annex A

• PCI DSS

• NIST

• 20 Critical Cybersecurity Controls

• Cloud Controls Matrix

Copyright IT Governance Ltd – v 0.1

14 control sets of Annex A

A.5 Information and A.8 Asset management A.12 Operations security A.15 Supplier
security policies relationships

A.6 Organization of A.9 Access control A.13 Communications A.16 Information security
information security security incident management

A.7 Human resources A.10 Cryptography A.14 System acquisition, A.17 Information security
security development, and aspects of business
maintenance continuity management

A.11 Physical and environmental security A.18 Compliance

Copyright IT Governance Ltd – v 0.1

Reviewing, reporting, and monitoring

• Risk treatment plan (RTP)

• Statement of Applicability (SoA)

• Continually review, update, and improve the ISMS

• Adjust according to threat environment

Copyright IT Governance Ltd – v 0.1

 IT Governance: One-stop shop
• Get started now with these best-selling resources and tools

ISO 27001 standard Must-have implementation

guidance

ISO 27001 training courses Policies and procedures

documentation toolkit

ISO 27001 gap analysis Risk assessment software

consultancy

ISO 27001 DIY packages

ISO 27001 risk assessment software tool

• vsRisk™ has been developed by Vigilant Software, which is part of the GRCI group
• vsRisk will enable users to produce consistent, reliable, and robust risk assessments year after year
• vsRisk saves users time and money compared to spreadsheets

Easy to use Geared for Aligned with

repeatability ISO 27001

Optional built-in
Streamlined Can generate
documentation
and accurate auditable reports
toolkit

Book a live demonstration with the Vigilant Software team to find out more
https://www.vigilantsoftware.co.uk/topic/free-demo

Copyright IT Governance Ltd – v 0.1

IT Governance ISO 27001 online courses

ISO27001 Certified ISMS ISO27001 Certified ISMS

Foundation >> Lead Implementer >>

Save 15% with our combination course.

Copyright IT Governance Ltd – v 0.1
How to get in touch
Visit our website
www.itgovernanceusa.com
Contact an ISO 27001 specialist
Email us
servicecenter@itgovernanceusa.com www.itgovernanceusa.com/speak-to-an-iso-27001-
expert

Call us toll free on

(877)-317-3454

Join us on LinkedIn Follow us on Twitter Like us on Facebook

/IT Governance USA Inc /ITG_USA /ITGovernanceUSA

Copyright IT Governance Ltd – v 0.1

Questions