The path to ISO 27005
Posted on: 11-Feb-2013Author: cmk
Long long ago, there was a standard called BS7799. It came at a time when the Internet was just starting to become ubiquitous. It spoke in esoteric terms of identifying risks to your information. The simple townsfolk who decided to follow BS 7799, did not understand what it meant. Each person started interpreting the ‘identification of risks’ in his own way. Some succeeded, some did not. Those who did not succeed, sometimes met with bitter consequences. Now, BS7799, realized that this was not the way it had expected things to go. So it released some supporting documents. One of them spoke eloquently about identifying risks and mitigating solutions. This document was titled “PD3002 - Guide to BS7799 Risk Assessment” The simple townsfolk were delighted. Here was a method that would make them achieve the seemingly unachievable! Help them find the elusive risks. Help them find the probability and mitigate risks. This, the simple townsfolk thought, was the panacea to all problems. BS7799 was happy. All seemed to work. However, as the lifestyle of the simple townsfolk started to change, the old Guide seemed increasingly irrelevant. Also, different townsfolk who followed the Guide, got different results. The tribe of non believers had some questions which even the staunchest of followers could not answer. Some of them were:
- PD3002 says there are 7 categories of assets (Information assets, Paper documents, Software Assets, Physical Assets, People, Company Image and Reputation and Services). Pray, what is the difference between ‘Information Assets’ and ‘Paper Documents’? Don’t paper documents contain only information?
- PD 3002 says assets are supposed to be valued only on the business impact that they cause to ‘Confidentiality, Integrity & Availability’ (the holy triad). Where does one end and the other begin? For example, if my computer system is hacked into and one file is modified, is it reasonable to assume that only C and I are affected? The attacked could potentially delete the file line by line. When does the file go from being affected for integrity to being affected for availability?
- One of the most important arguments was similar to the philosophical question “Is my blue your blue?” Is my level of risk your level of risk? If I take the probability of occurrence and the impact to identify the level of risk, the risk would be high for the smallest of businesses as well as for the largest of business. How does the risk appetite figure in all this?