Information Security Risk Management for ISO27001/ISO27002

Information Security Risk Management for ISO27001/ISO27002

by Alan Calder, Steve Watkins
Released April 2010
Publisher(s): IT Governance Publishing
ISBN: 9781849281492

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Plan and carry out a risk assessment to protect your business information.

In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002.

As the code of practice explains, information security management enables organisations to 'ensure business continuity, minimise business risk, and maximise return on investments and business opportunities'.

Information Security Management System requirements

The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management.

This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

International best practice

Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.

Benefits of a risk assessment

  • Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.

  • Achieve optimum ROI. Failure to invest sufficiently in information security controls is 'penny wise, pound foolish', since, for a relatively low outlay, it is possible to minimise your organisation's exposure to potentially devastating losses. However, having too many safeguards in place will make information security system expensive and bureaucratic; so without accurate planning your investment in information security controls can become unproductive. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment.

  • Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day. If you set up an ISMS in line with ISO27001, then, after an assessment, you can obtain certification. Buyers now tend to look for the assurance that can be derived from an accredited certification to ISO27001 and, increasingly, certification to ISO27001 is becoming a prerequisite in service specification procurement documents.

  • Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK's Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.

As the authors point out, 'Just because a threat has not occurred yet does not mean that it never will'.

What others are saying about this book ...

'... a timely and expert resource for any information and knowledge professional seeking to improve information security management... Additional chapters on policy development and the range of threats that could face an organisation make this an essential resource for any information professional. The authors have managed to balance technical expertise with the realities of delivering services in a recession ...'Robin Smith, Head of Information Governance, Northampton General Hospital

Table of contents

  1. Information Security Risk Management for ISO27001 / ISO27002
    1. ABOUT THE AUTHORS
    2. CONTENTS
    3. INTRODUCTION
    4. CHAPTER 1: RISK MANAGEMENT9
      1. Risk management: two phases
      2. Enterprise risk management
      3. Turnbull Guidance
      4. Basel 2
      5. COSO
    5. CHAPTER 2: RISK ASSESSMENT METHODOLOGIES
      1. Publicly available risk assessment standards
      2. Qualitative versus quantitative
      3. Quantitative risk analysis
      4. Qualitative risk analysis – the ISO27001 approach
      5. Other risk assessment methodologies
      6. CRAMM
      7. OCTAVE
      8. IRAM, SARA, SPRINT and FIRM
      9. Other methodologies
    6. CHAPTER 3: RISK MANAGEMENT OBJECTIVES
      1. Risk acceptance or tolerance
      2. Information security risk management objectives
      3. Information security controls and return on investment (ROI)
      4. Risk management and PDCA
      5. PDCA and the risk acceptance criteria
    7. CHAPTER 4: ROLES AND RESPONSIBILITIES
      1. Senior management commitment
      2. The (lead) risk assessor
      3. Other roles and responsibilities
    8. CHAPTER 5: RISK ASSESSMENT SOFTWARE
      1. Gap analysis tools
      2. Vulnerability assessment tools
      3. Penetration testing
      4. Risk assessment tools
      5. Risk assessment tool descriptions31
      6. Conclusions
    9. CHAPTER 6: INFORMATION SECURITY POLICY AND SCOPING36
      1. Information security policy
      2. Scope of the ISMS
    10. CHAPTER 7: THE ISO27001 RISK ASSESSMENT
      1. Overview of the risk assessment process
    11. CHAPTER 8: INFORMATION ASSETS
      1. Assets within the scope
      2. Asset classes
      3. Grouping of assets
      4. Asset dependencies
      5. Asset owners43
      6. Sensitivity classification
      7. Are vendors assets?
      8. What about duplicate copies and backups?
      9. Identification of existing controls
    12. CHAPTER 9: THREATS AND VULNERABILITIES
      1. Threats
      2. Vulnerabilities
      3. Technical vulnerabilities
    13. CHAPTER 10: IMPACT AND ASSET VALUATION
      1. Impacts
      2. Defining impact
      3. Estimating impact
      4. The asset valuation table
      5. Business, legal and contractual impact values
      6. Reputation damage
      7. Direct description approach
      8. Coverage approach
    14. CHAPTER 11: LIKELIHOOD
      1. Risk analysis
      2. Information to support assessments
    15. CHAPTER 12: RISK LEVEL
      1. The risk scale
      2. Boundary calculations
      3. Mid-point calculations
    16. CHAPTER 13: RISK TREATMENT AND THE SELECTION OF CONTROLS
      1. Types of controls
      2. Risk assessment and existing controls
      3. Residual risk
      4. Risk transfer
      5. Optimising the solution
    17. CHAPTER 14: THE STATEMENT OF APPLICABILITY
      1. Drafting the Statement of Applicability
    18. Introduction
    19. Statement of Applicability
      1. A.5.1.1 Information Security Policy
      2. A.6.1.1 Management commitment to information security
      3. A.6.1.2 The Steering Group
      4. A.9.2.1 Equipment siting and protection
      5. A.10.8.4 Physical media in transit
    20. CHAPTER 15: THE GAP ANALYSIS AND RISK TREATMENT PLAN
      1. Gap analysis
      2. Risk Treatment Plan
    21. CHAPTER 16: REPEATING AND REVIEWING THE RISK ASSESSMENT
    22. APPENDIX 1: CARRYING OUT AN ISO27001 RISK ASSESSMENT USING VSRISK™
      1. How the tool actually works
      2. Training requirements
      3. Start using vsRisk™ for your risk assessment
      4. Identify the assets
      5. Identify the risks
      6. Assess the risks
      7. Identify and evaluate options for the treatment of risks
      8. Select control objectives and controls for treatment of the risks
    23. APPENDIX 2: ISO27001 IMPLEMENTATION RESOURCES
      1. Information and advice
      2. Certification bodies and other organisations
      3. vsRisk™
      4. The Documentation Toolkit
      5. Information security standards ISO27001, ISO27002, ISO27005 and BS7799-3
      6. ISO27001 consultancy
      7. ISO27001 training courses
      8. ISO27001 implementation manuals from ITGP
    24. BOOKS BY THE SAME AUTHORS
      1. Books by Alan Calder and Steve G Watkins
      2. Books by Alan Calder
      3. Books by Steve G Watkins
    25. ITG RESOURCES
      1. Other Websites
      2. Pocket Guides
      3. Toolkits
      4. Best Practice Reports
      5. Best Practice Reports
      6. Training and Consultancy
      7. Newsletter

Product information

  • Title: Information Security Risk Management for ISO27001/ISO27002
  • Author(s): Alan Calder, Steve Watkins
  • Release date: April 2010
  • Publisher(s): IT Governance Publishing
  • ISBN: 9781849281492