ISO 27001Risk Management Approach
Cristóbal López, CISA, CRISC, CISSP, PMP
@clopezdb
Agenda ISO/IEC 27001 and 27002: Evolution
The ISO 2700x Family (31 Standards)
What is ISO27001
What is ISO27005
What is ISO31000
Relationship between ISO 31000, ISO 27001 and ISO 27005
How using ISO/IEC 27001 can bring ROI Benefits (Why?)
Are You Extremely Confident About Your Level of
Resilience Against Cyber Hacking?
Initial Assessment
Risk Management
Lessons Learned so Far and Conclusions
ISO/IEC 27001 and 27002: Evolution
Source: British Standards Institution (BSI) “ISO/IEC 27001:2013 Executive Overview 01/30/2014”
The ISO 2700x Family (31 Standards)
Source: British Standards Institution (BSI) “ISO/IEC 27001:2013 Executive Overview 01/30/2014”
ISO
27020:2010
Dentistry --
Brackets and
tubes for use in
orthodontics
The ISO 2700x Family (31 Standards)
Source: British Standards Institution (BSI) “ISO/IEC 27001:2013 Executive Overview 01/30/2014”
The ISO 2700x Family (31 Standards)
Source: British Standards Institution (BSI) “ISO/IEC 27001:2013 Executive Overview 01/30/2014”
What is ISO 27001? ISO 27001 is an international standard that outlines demands
for an Information Security Management System (ISMS). Since
organizations are all different an ISMS is always tailored to
handle the organizations specific security needs.
ISO 27001 was released as the first standard in the ISO 27000-
series of standards for information security. ISO 27001:2005 It
was first published in October 2005 and was revised in
October 2013 to better accommodate the changing
information security challenges. The current version is called
ISO 27001:2013.
Source: Neupart http://www.neupart.com/resources/iso-27001.aspx, 12/8/2014
What is ISO 27001?
ISO 27001 is related to ISO 27002 which describes a
"code of practice" (basically an instruction manual)
surrounding what security measures an organization
can choose to introduce. 27002 was formerly known
as ISO 17799 which was based on the British standard
BS 7799-1. The current version is ISO 27002:2013.
October 1st, 2015 is the deadline for transitioning
from the ISO/IEC 27001:2005 to the ISO/IEC
27001:2013 Information Security Management System
standard.
Source: Neupart http://www.neupart.com/resources/iso-27001.aspx, 12/8/2014
What is ISO 27005?
A threat based risk management
guidance
Considered best practice
Well aligned with other risk
frameworks
A method to comply with ISO 27001
risk management requirements
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
What is ISO 31000?
ISO 31000 is a family of standards relating to risk
management codified by the International
Organization for Standardization. The purpose of
ISO 31000:2009 is to provide principles and
generic guidelines on risk management. ISO 31000
seeks to provide a universally recognized
paradigm for practitioners and companies
employing risk management processes to replace
the myriad of existing standards, methodologies
and paradigms that differed between industries,
subject matters and regions.
Source: Wikipedia, http://en.wikipedia.org/wiki/ISO_31000
Relationship between ISO 31000, ISO
27001 and ISO 27005
Enterprise Risk
Management (ISO
31000)
Information
Security Risk
Management (ISO
27005)
ISMS Requirements
(ISO 27001)
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
How using ISO/IEC 27001 can bring ROI
Source: British Standards Institution (BSI) “ISO/IEC 27001:2013 Executive Overview 01/30/2014”
Are You Extremely Confident About Your Level
of Resilience Against Cyber Hacking?
A BSI survey of IT decision-makers found cyber security a
growing concern, with 56% of UK businesses more
concerned than 12 months ago.
More than two-thirds attributed this to hackers becoming
more skilled and better at targeting businesses.
While 98% of organizations have taken measures to
minimize risks to their information security, only 12% are
extremely confident about the security measures their
organizations have in place to defend organizations have
in place to defend against these attacks.
Source: ComputerWeekly.com http://www.computerweekly.com/news/2240235493/BSI-urges-UK-businesses-to-bolster-cyber-Security, November, 2014
Are You Extremely Confident About Your Level
of Resilience Against Cyber Hacking?
56% of ISO 27001 certified organizations said they
were aware of the risk, compared with just 12% of
uncertified organizations.
52% of organizations that had implemented ISO
27001 said they were “extremely confident”
about their level of resilience against the latest
methods of cyber hacking.
The research reveals that businesses that can
identify threats are more aware of them
Source: ComputerWeekly.com http://www.computerweekly.com/news/2240235493/BSI-urges-UK-businesses-to-bolster-cyber-Security, November, 2014
Initial Assessment
Source: British Standard Industry (BSI) ISO/IEC 27001 Information Security Management System
– Self-assessment questionnaire (http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-
27001/resources/BSI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf)
0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
Initial Assessment
Source: British Standard Industry (BSI) ISO/IEC 27001 Information Security Management System
– Self-assessment questionnaire (http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-
27001/resources/BSI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf)
4 Context of the organization
4.1 Understanding the organization and its context
4.3 Determining the scope of the information
security management system
4.4 Information security management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and
authorities
Create
Requirements
and tasks
Initial Assessment
Source: British Standard Industry (BSI) ISO/IEC 27001 Information Security Management System
– Self-assessment questionnaire (http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-
27001/resources/BSI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf)
6 Planning
6.1 Actions to address risks and
opportunities
6.1.1 General
6.1.2 Information security risk assessment
6.1.3 Information security risk treatment
6.2 Information security objectives and
planning to achieve them
Initial Assessment
Source: British Standard Industry (BSI) ISO/IEC 27001 Information Security Management System
– Self-assessment questionnaire (http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-
27001/resources/BSI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf)
6 Planning (cont.)
6.2 Information security objectives and planning to achieve them
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
Initial Assessment
Source: British Standard Industry (BSI) ISO/IEC 27001 Information Security Management System
– Self-assessment questionnaire (http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-
27001/resources/BSI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf)
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
6:Planning6.1 Actions to address risks
and opportunities6.1.1 General Identifying business critical functions All business critical functions,
related processes, systems and owners must be identified and
documented.
Risk Management Our information security risk management
processes comply with ISO 27005
Risk management planning
Management must ensure that risk management has been planned and
implemented in the organization.
Risk management must be planned so that both risks and opportunities
are considered.
Risk management activities must be planned in an annual cycle.
Business Impact Assessment
Consequences of IT system incidents must continually be assessed.
Impact assessment must be updated every year.
Identifying business critical functions: All business critical
functions, related processes, systems and owners must be
identified and documented.
Information Security Policy (NIST 800-
53, Gartner, SANS Templates)
Information Security Program (NIST-
SP800-18)
Risk Management Program (NIST-SP800-30,
NIST-SP800-39, NIST-SP800-100, COBIT 5, IT
Risk ISACA)
Risk Assessment Procedure (NIST-SP800-30, NIST-
SP800-100)
Identifying business critical functions: All business critical
functions, related processes, systems and owners must be
identified and documented.
Tom Scholtz, Gartner, March 2008
Stakeholder
Concern Risk
Assessment
(One Time)
Periodic
Risk
Assessm
ent (6
Months
– 1
year)
Vulnerability Assessment, Probability Assessment
Units and Processes
General Support Units
ITGC Domains
Business critical functions, Processes, Systems
TOP MANAGEMENT
IS New Dev. Chg MgmtOperations Control Env
IS Unit ComplianceBC Unit
SD Unit IT Operations
IT Procurement
Unit 1 Unit 2 Unit 3
Pandemic
Risk
Assessment
Corporate
Line of
Business
Compliance Risk Assessment
Interview and questionnaire
Self assessment questionnaire
Interview questionnaire and self assessment questionnaire
Interview and questionnaire
Interview and questionnaire
Maturity Risk
Assessment New Product
Done: Identifying business critical functions: All
business critical functions, related processes, systems
and owners must be identified and documented.
Processes
Accounting (O: Marilia González)
Customer Support (O: Luis Gómez
Service Delivery (O: Gil Lozano
Finance (O: Ramiro Díaz)
Business Systems
ERP System (O: Larry Rodríguez)
Dynamics AOS (O: Jesús Rivera)
IT Services
ERP (O: Rodrigo López)
Our email service (O: Raquel
Medio)
Service Providers
Amazon EC2 – Cloud Infrastructure as a Service
(O: Mauricio Jiménez)
Database Systems
ERP DB (O: Matthew Ortiz)
Finance DB (O: Daniel Matis)
Virtual Servers
APP-SERVER2 (O: Phillip Free)
Logical Servers
SQL-SERVER1 (O: José Jiménez)
Data Centers
Mayagüez Datacenter (O: Raúl Pineda)
6:Planning6.1 Actions to address risks
and opportunities6.1.1 General
Identifying business critical functions All business critical functions, related
processes, systems and owners must be identified and documented.
Risk Management Our information security risk management processes
comply with ISO 27005
Risk management planning
Management must ensure that risk management has been planned and
implemented in the organization.
Risk management must be planned so that both risks and opportunities are
considered.
Risk management activities must be planned in an annual cycle.
Business Impact Assessment
Consequences of IT system incidents must continually be assessed.
Impact assessment must be updated every year.
Business Impact Assessment
ISO 27005: Estimate the business
impact from breaches on CIA (confidentiality, integrity, availability)
Financial terms
Revenue, cash flow, costs, liabilities
Non-financial terms:
Image, non-compliance,
competitiveness, service level
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Business Impact Assessment: Accounting High Level Business Impact Assessment
Consider the following for the Business Impact Assessment for the Accounting
Process:
Reduced revenue or cash flow,
Increased cost or penalties,
Damage to reputation or service level,
Non-compliance or statutory violations
Breach of Confidentiality Breach of Integrity Breach of Availability
Very Low Very Low Very Low
X Low Low Low
Medium Medium Medium
High High X High
Very High X Very High Very High
Only if substantial amounts of
information are revealed to
unauthorized persons, it will have
an unacceptable business impact.
Any loss of information or
its integrity will have an
unacceptable business
impact.
An availability loss lasting
more than one hour will have
an unacceptable business
impact..
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Business Impact Assessment: Accounting
Detailed Business Impact Assessment
Estimate the business impact of breaches of confidentiality,
integrity and availability
Business Impact Breach of
Confidentiality
Breach of Integrity Breach of Availability
Reduced revenue or
cash flow
Very Low Very High High
Increased cost or
penalties
Medium High Very High
Damage to reputation
or service level
Low Very High High
Non-compliance or
statutory violations
Very Low Very High High
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
6:Planning6.1 Actions to address risks
and opportunities6.1.1 General (cont.)
Risk Analysis
Detailed risk assessment must be carried out within the
organization in all areas warranted by the general risk
assessment.
A detailed risk assessment must be carried out for the
organization.
A general risk assessment must be carried out for the
company.
The company must prepare a detailed risk analysis for
all business critical systems.
The company must prepare a detailed risk analysis
for all business critical systems
Information Security Policy (NIST 800-53,
Gartner, SANS Templates)
Information Security Program (NIST-SP800-18)
Risk Management Program (NIST-SP800-30, NIST-
SP800-39, NIST-SP800-100, COBIT 5, IT Risk ISACA)
Threat Catalog
Assets to Threats relationship document
Stakeholder
Concern Risk
Assessment
(One Time)
Periodic
Risk
Assessm
ent (6
Months
– 1
year)
Vulnerability Assessment, Probability Assessment
Units and Processes
General Support Units
ITGC Domains
TOP MANAGEMENT
IS New Dev. Chg MgmtOperations Control Env
IS Unit ComplianceBC Unit
SD Unit IT Operations
IT Procurement
Unit 1 Unit 2 Unit 3
Pandemic
Risk
Assessment
Corporate
Line of
Business
Compliance Risk Assessment
Interview and questionnaire
Self assessment questionnaire
Interview questionnaire and self assessment questionnaire
Interview and questionnaire
Interview and questionnaire
Maturity Risk
Assessment New Product
Business critical functions, Processes, Systems
Threat Catalog
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Category Threat
Asset damage or loss Fire damage
Water damage
Electromagnetic damage
Damage from natural event
IT operations disruption or integrity
loss
Service delivery failure
Maintenance or operations error
Malicious code attack
User error
Asset misuse or disclosure Information theft
Deliberate misuse
Deliberate disclosure
Work disruption or personnel loss Personnel turnover
Loss of personnel
Relate Threats to Asset Types
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Assets Asset Type Applicable Threats
Accounting Process Personnel turnover, Loss of personnel, Work disruption, Facilities
contamination
ERP IT Service Service Delivery Failure
ERP System Business
System
User error, Maintenance or operations error, Malicious code attack,
Cyberterror attack, Capacity error, Software error, Information theft,
Deliberate misuse, Deliberate disclosure, Information leakage
ERP DB Database
System
Information theft, Deliberate misuse, Deliberate disclosure, Information
leakage
APP-SERVER2 Virtual Server Maintenance or operations error, Malicious code attack, Cyberterror
attack, Capacity error, Software error
SQL-SERVER1 Logical Server Maintenance or operations error, Malicious code attack, Cyberterror
attack, Capacity error, Software error
Mayagüez
Data Center
Data Center Fire damage, Water damage, Electromagnetic damage, Damage from
natural event, Major accidental damage, Deliberate destruction,
Environmental control failure, Power supply error, Facilities contamination
Amazon EC2 –
Cloud
Infrastructure
as a Service
Service
Provider
Service provider failure
Idea: Virtual
Servers
cannot burn
(at least not
like a data
center does)
Risk Management
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Risk Management
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Risk Management
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Effect
on
C,I,A
Different from Likelihood, you need
to consider the preventive measures
(controls applied, residual likelihood)
and then estimate the incident
likelihood
What have you done to not
being impacted too much
(consider the reactive controls
applied, residual) and then
estimate the consequence
You reduce the likelihood
implementing more
preventive measures
You reduce the consequence
or impact implementing
more corrective measures
Vulnerability Assessment for ERP DB Estimate the maturity and implementation level of controls for the threats listed below
Take the following threats into account:
User error,
Maintenance or operations error,
Malicious code attack,
Cyberterror attack,
Capacity error,
Preventive
Administrative
Controls
Preventive
Technical Controls
Corrective
Administrative
Controls
Corrective
Technical Controls
Optimized xVery Effective Optimized Very Effective
Managed Effective Managed xEffective
xDefined Implemented xDefined Implemented
Repeatable Partially
Implemented
xRepeatable Partially
Implemented
Ad Hoc Absent Ad Hoc Absent
Administrative controls aimed at this
threat or its potential consequences are
based on a formal delegation of
responsibilities and has been consistently
documented through policies, rules and
procedures.
Administrative controls aimed at this
threat or its potential consequences
are based on an informal but defined
delegation of responsibilities as well as
an established practice based on
experience
Multi-layer systematic technical or physical controls
have been implemented to protect against the
threat or its potential consequences. The controls
are based on recognized best practice and have
been professionally evaluated and proven very
effective
Software error,
Information theft,
Deliberate misuse,
Deliberate disclosure,
Information leakage
Systematic technical or physical controls have
been implemented to protect against the
threat or its potential consequences. The
controls are based on recognized best
practice and have been professionally
evaluated and proven effective
Source: Neupart IT Risk
Management best practice
using ISO 27001 & 27005,
October, 2014
Vulnerability Assessment for ERP DB Estimate the maturity and implementation level of controls for the threats
listed below
Take the following
threats into account
Preventive
Administrative
Controls
Preventive
Technical Controls
Corrective
Administrative
Controls
Corrective Technical
Controls
User error Defined Very Effective Repeatable Effective
Maintenance or
operations error
Repeatable Effective Ad Hoc Very Effective
Malicious code attack Managed Very Effective Defined Implemented
Cyberterror attack Managed Effective Ad Hoc Very Effective
Capacity error Repeatable Very Effective Defined Implemented
Software error Defined Effective Ad Hoc Very Effective
Information theft Optimized Effective Defined Implemented
Deliberate misuse Repeatable Very Effective Ad Hoc Effective
Deliberate disclosure Optimized Very Effective Repeatable Very Effective
Information leakage Defined Effective Defined Implemented
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Assets: Dependency Hierarchy
FinanceBusiness Process
ERPIT Service
Finance DBDatabase
Dynamics AOSBusiness System
SAN 01Data Storage
Server 02Virtual Server
HP DL380Hardware unit
Server 01Virtual Server
HP DL380Hardware unit
Data Center
MayagüezDataCenter Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Business Processes & IT ServicesInclude only your most
important business
processes and their
primary supporting
systems
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
6:Planning6.1 Actions to address risks and
opportunities6.1.3 Information security risk
treatmentRisk treatment
Based on the risk assessment, appropriate information security controls must
be implemented
The chosen information security control being implemented should be
compared to the control listed in Annex A of the standard to ensure that no
necessary controls have been omitted
A Statement of Applicability must be prepared based on the information
security controls that have been selected
The Statement of Applicability should include the justification for including or
excluding controls
We treat risks using the four options of ISO 27005:
Accept risks
Reduce risk by implementing controls
Share risks
Avoid risks
ISO 31000 Enterprise Risk Management
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
ISO 27001: Not only downside risks
6.1 Actions to address risks and opportunities
Quote ISO 31000: “Organizations of all types and
sizes face internal and external factors and
influencesthat make it uncertain whether and
when they will achieve their objectives. The
effect this uncertainty has on an organization’s
objectives is “risk”.
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Treating Risks
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Treatment Overview: Accounting Assets
Assets Asset
Type
C I A CR Treat Status
Accounting Process 27 44 44 41 Not treated Not treated
ERP IT Service 27 44 44 41 Not treated Not treated
ERP DB Database
System
27 44 44 41 Not treated Not treated
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Treatment Overview: Accounting
Assets Asset
Type
C I A CR Treat Status
Accounting Process 27 44 44 41 Reduce Risk Not treated
ERP IT Service 27 44 44 41 Not treated Not treated
ERP DB Database
System
27 44 44 41 Not treated Not treated
“The risk level for the linked asset is unacceptable. It has been
determined that the best option is to reduce the risk of the
asset. This can be accomplished by the implementation of new
security products, a change in the usage of the asset,
increased network security, authorization management,
additional physical and environmental security and outsourcing
of the asset to a partner with a higher level of security etc. After
the successful completion of this task, the risk assessment of
the asset should be updated, so that it reflects the new level.”
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Business Impact Assessment: Accounting High Level Business Impact Assessment
Consider the following for the Business Impact Assessment for the Accounting
Process:
Reduced revenue or cash flow,
Increased cost or penalties,
Damage to reputation or service level,
Non-compliance or statutory violations
Breach of Confidentiality Breach of Integrity Breach of Availability
Very Low Very Low Very Low
Low X Low Low
Medium Medium X Medium
High High High
X Very High Very High Very High
Any confidentiality loss
will have an unacceptable
business impact
Only if substantial amounts of
information are lost or
erroneous, it will have an
unacceptable business impact
An availability loss lasting
between one and 3 days may
have an unacceptable
business impact
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Treatment Overview: Accounting
Assets Asset
Type
C I A CR Treat Status
Accounting Process 45 17 27 37 Reduce Risk Risk Increased!
ERP IT Service 45 17 27 37 Not treated Not treated
ERP DB Database
System
45 17 27 37 Not treated Not treated
Risk Increased!
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Statement of Applicability linked to Risk
Treatment
SoA = Statement of Applicability
ISO 27001
Select treatment options
Determine controls
Check controls with Annex A
Justify exclusions AND inclusions
Clearly worded that you must determine all
necessary controls – e.g. regulations
Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014
Lessons Learned so Far and Conclusions We don’t know what to do with the exceptions (legacy
systems that do not support password parameters) will ISO
certification entity will allow space for exceptions? What
is the procedure for it?
This also applies to segregation for environments, there
are a lot of applications and not all have test
environments
We are executing a security program and we are managing
risks, Why not push harder to get certified?
It’s becoming more critical for service companies to be
certified in ISO 27001 to separate from the competence
Lessons Learned so Far and Conclusions Be careful with the treat catalog, you probably need to
consider treats that are not in there and update your
treat catalog. Remember not all treats apply to all assets
and processes.
If you comply with ISO 27001:2005, you also comply with
27001:2013 since its a simplification to help you achieve
the certification.
On February 24, 2014 The Information Technology Services
Department (ITS) from the University of Qatar, stated in a
press communicate informing that they achieved the ISO
27001: “The ITS department plans to pursue compliance
with the Qatar Government Information Assurance (GIA)
policy whose features are considered to have more
specific and stringent controls than the international
standard”.
Thank You
ISO 27001Risk Management Approach
Cristóbal López, CISA, CRISC, CISSP, PMP
Twitter: @clopezdb
Top Related