ISO 27005 - The differences Demystified
Posted on: 19-Mar-2013Author: cmk
With my misadventure with Blogger done - I did not qualify to make easy money with Google Adsense :) - I move the sole post from Blogger back to the trusted Wordpress. Please ignore this if you have already read the previous post ___________________________ This post continues from http://practicalinfosec.wordpress.com/2013/02/11/the-path-to-iso-27005/. If you have not read that post, I doubt this would make sense, but you are welcome to try...
The all knowing, benevolent International Organization for Standardization did a few quick things that both pleased and perplexed the simple townsfolk. ISO 27005 boldly claims that it is merely a guideline and does not provide any methodology for reaching the ultimate objective. Townsfolk who had strayed from the straight and narrow of ISO 13335 were pleased. Their method, although unorthodox, was not blasphemous for ISO. Townsfolk who had followed the prescribed path - high level risk assessment, detailed risk assessment and baseline approach - were confused. If this was not ‘THE’ path, then what was? How do we know we are right, if we do not go by the book?
ISO lovingly smiles at these questions and replies “It is all a matter of ‘context’ my child! It is all a matter of context.”
The thinkers who had dared to tweak the old philosophy would be at home with context establishment. It asks you to think of three specific questions:What is the purpose of doing an information security risk management?
In the days of yore, consultants and implementers would have been tied to a pole and shot twice by crusading auditors for questioning the very basis of existence. In these new fangled times, the book itself is asking you to question everything! It is indeed a fresh new look. Come to think of it, why do we do risk assessments again?What is the scope and what are the boundaries of this risk management exercise?
Townsfolk well versed with the aging mother standard (27001) will immediately ask - Is this not the same as the scope of my ISMS? ISO 27005 says they are related. A deeper inspection by the non - believers reveals that the difference between scope of the ISMS and the scope of risk management are more or less the same. The only difference, probably, is that ISO 27005 asks the practitioner to consider expectations of the stakeholders as well as the socio-cultural environment. The socio-cultural environment is probably in vogue with infosec professionals this season (think CoBIT 5).Organization of the risk management
The omnipresent, omnipotent, ISO seeks to have a set of roles and responsibilities for its followers. This ranges from developing the infosec risk management process to liaising with the organization’s higher risk management functions. It is easily guessable that the role would fall on the holy CISO.
The most important question to be answered is, of course, the purpose of doing a risk management. It appears that the townsfolk, still dealing with the unanswerable philosophical question - “What is the purpose of life?” were given a new question - “What is the purpose of risk assessment?” to debate for the rest of their life! ISO, however, is not cruel. It does not leave you in the lurch without providing you the basic guidance to tough theological questions.
To find out the purpose of risk assessment, the townsfolk should follow three simple rituals. Lo and Behold! They will be blessed with a purpose for risk assessment. Here are the secrets, revealed.
- Risk Evaluation Criteria: ISO says that one should think about the criteria that should be used to evaluate risks. This can be influenced by things ranging from the strategic value of the business information process to stakeholders expectations and perceptions and everything in between from the criticality of information to the legal, regulatory and contractual obligations.
- Impact Criteria: Once you have identified what are the criteria that you are going to use to evaluate risks, it falls upon the ‘Impact Criteria’. What does the organization consider as high impact? What type of impacts would you be higher? Is a revenue loss impact more critical or is it a reputation loss? - and other such questions. The point to remember here is that one criteria talks about how an organization will evaluate ‘risks’ and the other talks about how an organization would evaluate ‘impact’.
- Risk Acceptance Criteria: This is as straightforward as it seems. The organization needs to decide on what types of risks and what levels of risks are acceptable and who in the organization decides on accepting these risks. An organization with a higher risk appetite may accept more risks - and consequently have a simpler methodology to identify and evaluate risks.
This is the holy grail of ISO 27005 - Context Establishment. Now to answer a few questions that it raises:
Q: Does it change the whole philosophy of infosec risk assessment?
A: Probably not. It forces the organization to think before it embarks on the long and arduous path towards risk assessment.
Q: Does it just formalize what practitioners were doing in their heads anyway?
A: Maybe, but most organizations are known to have jumped into excel sheets or risk assessment made by consultants unthinkingly and made changes to them based on what the auditor says. So, again, this does force the organization to think.
Q: Does this change the methodology to be followed for risk assessment?
A: If implemented correctly, it does. Organizations with a higher propensity towards risk would suffice to do a high level risk assessment, while organizations who are risk averse will do a very detailed analysis before making investment decisions.
Further analysis of ISO 27005? Maybe soon!