Risk assessment framework
Once the organization obtains management buy-in and defines the scope of an ISO 27001 ISMS, the biggest challenge is to develop a risk assessment methodology addressing its business and environment. The ISO 27001 standard doesn't prescribe the methodology, and leaves the designers (of the program or framework) with a lot of questions. An ISO 27001 ISMS designer should have a good understanding of the different kinds of risk assessment methodologies. A lot of designers with an engineering background use the failure mode effect analysis (FMEA) method, while others use software pushed by vendors. What you need to keep in mind is that what worked for Company X may not necessarily work for you. Also remember that you are dealing with information, hence you must think of scenarios which may affect the information's confidentiality,
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
integrity and availability. It's very important to
keep the organization's culture, decision-making style and people in
mind while designing the risk assessment process (integral to ISO 27001
ISMS design). This framework will help you to identify the risks to
your critical information assets.Statement of applicability and risk treatment plan
Based on this risk assessment, the organization will need to prepare a statement of applicability and a risk treatment plan. ISO 27001 broadly mentions 11 security domains, 33 control objectives and 133 security controls which can be utilized for this purpose. Before selecting any control, you must undertake a cost-benefit analysis of the value of the control and the value of the information asset. The 11 security domains of ISO 27001 are not mandatory; however, if you don't want to put any security control then you must mention the reasons for exclusion in your statement of applicability. After this, the next step is ISO 27001 ISMS design.
Once all the controls are selected you must develop an ISO 27001 ISMS implementation program which involves setting up of policies, procedures and guidelines, and deploying security controls to mitigate the identified risks. Many ISO 27001 ISMS designers feel that it's best that the security controls are centrally managed. This may be true for the technological controls, but a central monitoring team will not be able to do justice for the controls on people and business processes (which are scattered).
A common mistake made by security personnel when crafting an ISO 27001 ISMS strategy is to try and convince the management that increased security spending means greater security. Organizations often use some sort of metric to justify security spending. This approach may be valid for some technological solutions, but not for business processes and people-related risks.
Review and corrective action
The security team should review whether the implemented security controls provide the desired results as well as address threats and vulnerabilities. If the controls are part of ISO 27001 ISMS are not successfully addressing risks, then you must analyze the reasons and take corrective action.
Key challenges of ISMS implementation.
One of the basic problems that most organizations face is to understand requirements of the ISO 27001 standard. Besides, choosing a wrong implementation partner can lead to several problems in the design of the framework of, approach to, and actual implementation of an ISO 27001 ISMS.
The cultural change which the implementation of an ISO 27001 ISMS brings with it is also a major issue. Security teams often spend a lot more time managing people-related issues than process, technological or functional issues during the ISO 27001 ISMS implementation.
Many organizations go in for certification immediately after the implementation of an ISO 27001 ISMS. However, when the business returns to normal, the momentum is lost, and the organization starts striking a balance between functionality and security. This often happens due to an impractical solution devised by the team designing ISO 27001 ISMS. People start disconnecting themselves from the initiative, and look at the situation as 'them against us.' Processes are not followed, and are bypassed. Business reasons are cited, and the exception list starts getting populated. Eventually, these exceptions become the policy, and the entire ISO 27001 initiative is lost in spirit.
About the author: Deepak Varde is Head- Managed Information Security Services with Mahindra Special Service Group and has been involved in designing and deploying security frameworks that address the risk spectrum covering People, Process & Technology.
(As told to Dhwani Pandya)
This was first published in May 2010