For Infosec professionals

For Infosec professionals
Library Risk Quotient

The path to ISO 27005

Posted on: 11-Feb-2013
Author: cmk
Long long ago, there was a standard called BS7799. It came at a time when the Internet was just starting to become ubiquitous. It spoke in esoteric terms of identifying risks to your information. The simple townsfolk who decided to follow BS 7799, did not understand what it meant. Each person started interpreting the ‘identification of risks’ in his own way. Some succeeded, some did not. Those who did not succeed, sometimes met with bitter consequences. Now, BS7799, realized that this was not the way it had expected things to go. So it released some supporting documents. One of them spoke eloquently about identifying risks and mitigating solutions. This document was titled “PD3002 - Guide to BS7799 Risk Assessment” The simple townsfolk were delighted. Here was a method that would make them achieve the seemingly unachievable! Help them find the elusive risks. Help them find the probability and mitigate risks. This, the simple townsfolk thought, was the panacea to all problems. BS7799 was happy. All seemed to work. However, as the lifestyle of the simple townsfolk started to change, the old Guide seemed increasingly irrelevant. Also, different townsfolk who followed the Guide, got different results. The tribe of non believers had some questions which even the staunchest of followers could not answer. Some of them were:
  • PD3002 says there are 7 categories of assets (Information assets, Paper documents, Software Assets, Physical Assets, People, Company Image and Reputation and Services). Pray, what is the difference between ‘Information Assets’ and ‘Paper Documents’? Don’t paper documents contain only information?
  • PD 3002 says assets are supposed to be valued only on the business impact that they cause to ‘Confidentiality, Integrity & Availability’ (the holy triad). Where does one end and the other begin? For example, if my computer system is hacked into and one file is modified, is it reasonable to assume that only C and I are affected? The attacked could potentially delete the file line by line. When does the file go from being affected for integrity to being affected for availability?
  • One of the most important arguments was similar to the philosophical question “Is my blue your blue?” Is my level of risk your level of risk? If I take the probability of occurrence and the impact to identify the level of risk, the risk would be high for the smallest of businesses as well as for the largest of business. How does the risk appetite figure in all this?
You could potentially go on, but the days of the PD 3002 were over. It had served its time in a simpler world. However, there was a major shift in thinking. The well know international organization for standardization modified BS7799 and adopted it as ISO 27001. The townsfolk, simple people, were pleased again. They were sheltered by a bigger and better standard now. Along with ISO27001, came a set of documents, titled ISO 13335 (a set of 5 documents). In particular, the ISO 13335 - 3. It was ‘Guidelines for the management of IT security’. It took some of the concepts of PD3002 and developed them further. This document too, had its share of followers. Elaborate rituals and tools were made to implement this standard. It seemed to work for a while. It said, everything is divided into two parts - a baseline approach and a detailed risk analysis approach. Townsfolk who were bogged down by the sheer repetitiveness of PD3002 were pleased with this approach. They could now work smarter, not harder (i believe this is copyrighted by the pointy haired boss). This was indeed a novel and useful approach, but it only helped in simplifying things. It did not solve the earlier problems. In fact, it raised an additional question among the growing crowd of nonbelievers. This documents seems to have been thought and written for the IT townsfolk, not the information security townsfolk. It catered to a different race altogether! In fact, ISO 13335-3 went on to describe IT security and IT system policies with scant regard to the non-IT bit. The all knowing, benevolent, ISO was hearing the pleas of the townsfolk. It decided to answer their prayers and came up with the ISO 27005, which replaces ISO 13335-3 in bits and pieces. ISO 27005 began with something called ‘Context Establishment’ (https://practicalinfosec.wordpress.com/2012/07/22/info-sec-risk-management-establishing-context/). On the looks of it, the townsfolk had a good thing coming… await the sequel for a detailed analysis of ISO 27005.
Library Risk Quotient