Risk assessment (RA) is akin to charting the blueprint for a robust information security strategy. An information gathering exercise performed to determine the right steps to developing a proactive security posture, RA should not be confused with an audit. Risk assessment analyzes threats in conjunction with vulnerabilities and existing controls.
A one-size-fits-all approach to information security is doomed to failure — it’s certain to throttle efficiency and productivity. The ISO 27005 risk assessment standard is different in that it acts as an enabler for designing effective and efficient controls for organizations that require the freedom to define their own risk parameters.
Risk assessment under ISO 27005
Workflow: Identification, Estimation and Evaluation
ISO 27005 brings in considerable structure to risk assessment. It focuses on the tenets of confidentiality, integrity and availability, each balanced according to operational requirements. Identification of assets and component steps such as risk profiling are left to the entity’s discretion. There are several points of significant difference in ISO 27005 standard’s workflow.
Risk identification: This refers to risk characterized in terms of organizational conditions.
1) Asset Identification: ISO 27005 risk assessment differs from other standards by classifying assets into primary and supporting assets. Primary assets are usually information or business processes. Supporting assets can be hardware, software and human resources.
While a supporting asset is replaceable, the information it contains is most often not. ISO 27005 effectively brings out this distinction, enabling organizations to identify valuable assets and the dependent supporting assets impacting the primary asset, on the basis of ownership, location and function.
2) Threat identification and profiling: This facet is based on incident review and classification. Threats could be application-based or threats to the physical infrastructure. While this process is continuous, it does not require redefining asset classification from the ground up, under ISO 27005 risk assessment. The onus of profiling risk is left to the organization, based on business requirements. However, standard threat scenarios for the relevant industry vertical must be covered for comprehensive assessment.
3) Identifying existing controls: ISO 27005 risk assessment requires identification of all possible existing controls. Under ISO 27005, the protection provided — or bottlenecks created — by existing controls are taken into account.
4) Identification of vulnerabilities and consequences: Vulnerabilities must be identified and profiled based on assets, internal and external threats and existing controls. Vulnerabilities unrelated to external threats should also be profiled. The final checkpoint is to identify consequences of vulnerabilities. So eventual risk is a function of the consequences, and the likelihood of an incident scenario.
Risk estimation and evaluation: ISO 27005 risk assessment facilitates prioritization. Under ISO 27005, risk can be estimated qualitatively (for example: high, medium, low) or quantitatively (for example: cost in dollars, man-hours). While quantitative assessment is desirable, probability determination often poses difficulties, and an inevitable element of subjectivity.
For correct identification of risk, estimation in terms of business impact is essential. However, the challenge is to reach a consensus when numerous stakeholders are involved. Thus, risk evaluation criteria are based on business requirements and the need to mitigate potentially disruptive consequences.
ISO 27005’s differences
While the flow in most risk assessment standards is essentially the same, the difference lies in the sequence of events or in the order of task execution. Compared to popular standards like OCTAVE and NIST SP 800-30, ISO 27005’s risk assessment approach differs in several respects.
OCTAVE’s methodology focuses on critical assets rather than the whole. ISO 27005 does not exclude non-critical assets from the risk assessment ambit. However, it necessitates assigning an asset value. The workflow for OCTAVE is also different, with identification of assets and the areas of concern coming first, followed by the security requirements and threat profiling.
The NIST SP 800-30 standard is largely meant for technical risk assessment. The NIST SP 800-30 standard’s workflow differs from ISO 27005 in that the first step is system characterization. NIST SP 800-30 considers vulnerabilities before existing controls; thus the mitigation afforded by existing controls is not taken into account.
In a practical situation, an organization does not completely forego previous investments and controls. ISO 27005 risk assessment scores with its more realistic view of the vulnerability profile, since it identifies existing controls before defining vulnerabilities.
About the author: Dharshan Shanthamurthy is a director at SISA Information Security and a risk assessment evangelist at SMART-RA.COM. Trained at Software Engineering Institute - Carnegie Mellon University, Dharshan carries a host of security certifications. He has presented at over 122 workshops/conferences in over 19 countries.He can be reached at firstname.lastname@example.org.
(As told to Varun Haran)
Please send your feedback and/or comments to vharan at techtarget dot com. you can subscribe to our twitter feed at @SearchSecIN.
This was first published in June 2011