Security Risk Management of ISO 27001

The management of risk is core to the implementation of ISO 27001. It is a theme covered throughout the standard. But what is security risk management? What is risk assessment?

A classical definition of Risk Assessment is one which describes it as a process to ensure that the security controls for a system are fully commensurate with its risks. This 'process', however, can be complex in itself. Most methods though employ the following interrelated elements:

THREATS
These are things that can go wrong or that can 'attack' the system or business. Examples might include fraud or fire. Threats are ever present for every business and information system.

VULNERABILITIES
These make a system more prone to attack by a threat, or make an attack more likely to have some 'success’ or undesired impact. For example, for fire a vulnerability would be the presence of highly flammable materials (e.g. paper).

CONTROLS
These are the countermeasures for vulnerabilities. There are basically four types:

Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
Corrective controls reduce the effect of an attack
Detective controls discover attacks and trigger preventative or corrective controls.
Deterrent controls reduce the likelihood of a deliberate attack

It is common for all these to be weighed against each other to produce a set of metrics, which enable business decisions regarding security to be more easily taken. Hence references to 'risk level', 'risk score' and so on.

Once risk has been measured, it has to be managed (risk management). This can involve, for example, treatment, mitigation or transfer of the residue risks.

WHERE TO START
Adopting a comprehensive and formal risk management approach requires a sound understanding of the principles of risk. Fortunately, as with the standards themselves, a kit has emerged to educate and to assist with all stages of the exercise. This is documented on its own site: Risk.Biz

source: ccure.org and molemag.net

CompliancesForum provide FREE template, checklist, and update for your Regulatory Compliance need: Basel II Accord, Gramm Leach Bliley (GLBA), Healthcare Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS), Sarbanes Oxley Act (SOA)

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Google
  • Yahoo
  • Technorati

User login

Who's online

There are currently 0 users and 1 guest online.

Who's new

  • PreedaJex
  • logsLarostata
  • tesejeora
  • andygriffinkid
  • WooroExteve