ISO/IEC 27005 Risk Management Guide

Information security risk management
using ISO/IEC 27005:2008
Herv Cholez / Sbastien Pineau

Centre de Recherche Public Henri Tudor
herve.cholez@tudor.lu sebastien.pineau@tudor.lu
March, 29th 2011
TAO Workshop on CBA Security
Objectives
ISO/IEC 27005 is a standard that propose a way to

manage information security risks, particularly in the
context of the implementation of an ISMS* (ISO/IEC
27001)
ISO/IEC 27005 is not a method, just a guide
For the moment... discussions in progress!
* ISMS: Information Security Management System

Risk?
Risk = (Threat * Vulnerability * Impact)
Vulnerability: intrinsic to the object or situation

Threat: probability of occurrence of an (external) event
exploiting the vulnerability
Impact: consequence
Example: burglary in your house
Vulnerability: your home keys under your carpet

Threat: a burglar comes along...
Impact: loss of your money, your TV, etc.
Information Security Risk? (1/3)
potential that a given threat will exploit vulnerabilities of

an asset or group of assets and thereby cause harm to
the organization
Threat
exploits
Vulnerability
causes
Impact
concerns
Asset
Asset
anything that has value to the organization

Primary: business processes and activities, information
Support: hardware, software, network, personal, facilities
Threat
Potential cause of an unwanted incident, which may result in

harm to a system or organization
Source of the risk, possible attack
3 kinds
Accidental (unintentional human action)

Deliberate (voluntary human action)
Environmental (non-human action)
Vulnerability
weakness of an asset (or control) that can be exploited by a

threat
Impact
adverse change to the level of business objectives achieved

Consequence of the risk on the system or organization
Generally expressed in terms of:
Confidentiality
Integrity
Availability
Impacts?
Confidentiality
property that information is not made available or disclosed to

unauthorized individuals, entities or processes
internal disclosure, external disclosure...
Integrity
property of protecting the accuracy and completeness of

assets
accidental modification, deliberate modification, incorrect results,

incomplete results
Availability
property of being accessible and usable upon demand by an

authorized entity
performance degradation, short-term/long-term interruption, total

loss (destruction)
Information security risk

management (ISRM)?
The total process of identifying, controlling, and
eliminating or minimizing uncertain events that may
affect IT system resources [ISO/IEC 13335-1]
3 objectives
Improve information system security

Justify information system security budget
Prove the credibility of the information system using the
analysis performed
ISO/IEC 27005
Information technology Security techniques

Information security risk management
Tudors activities
Formation(s) 27001
Analyse carts 27001
Gestion des risques
Dfinition d'une Politique

de scurit
Outil de gestion des

risques (27005 EBIOS)
Formation gestion des
risques (27005)
Maturer/Packager
Dcliner en
niveaux/Packager
Dcliner en
niveaux/Packager
Mthodologie + template
Toolbox
Evaluation de la maturit
en scurit de
linformation
Maturer/Packager
Mthodologie + outil de
mesure
Maturer/Packager
Dcliner en
niveaux/Packager
SaaS
WEB
Implmentation dun
SMSI
Guide dimplmentation
27001 + templates
FOURNISSEURS
Audit blanc 27001
10
Process
11
Process
12
Context establishment
Basic Criteria
The scope and boundaries
Organization for IRSM
13
Context establishment > Basic

Criteria
Risk evaluation criteria
Impact criteria
Risk acceptance criteria
These criteria are specific to a given
organization/system, to a given study, etc.
14

Criteria > Risk evaluation criteria (1)
Depends on
The strategic value of the business information process

The criticality of the information assets involved
Legal and regulatory requirements, and contractual obligations
Operational and business importance of CIA
Stakeholders expectations and perceptions, and negative
consequences for goodwill and reputation
Enables to prioritize risks
15

Criteria > Risk evaluation criteria (2)
Examples
Financial
Risk level
Loss < 1000
Unimportant risk
1000 < Loss < 5000
Risk affecting the internal operation
5000 < Loss < 10000
Risk affecting customers
Loss > 10000
Risk
Goal:
Clear differentiation between levels

Unambiguous interpretation
16

Criteria > Impact criteria (1)
Cost per security incident, considering
Level of classification of the impacted information asset

Breaches of information security (e.g. Loss of CIA)
Loss of business and financial value
Disruption of plans and deadlines
Damage of reputation
Breaches of legal, regulatory or contractual requirements
17

Criteria > Impact criteria (2)
Example
Confidentiality
Integrity
Availability
Public
No constraint
No constraint
Restricted
Change visible
Unavailable 1 week/year
Very restricted
Change reduced
Unavailable 1 day/year
Secret
Can not be altered
Always available
Goal:
Clear differentiation between levels

Unambiguous interpretation
18

Criteria > Likelihood of risk
Threat
Explanation
1
Very unlikely, according to statistics, or the cost or level of expertise required
May happen from time to time
Very likely easier to implement, no investment or special expertise
Vulnerability
Explanation
0
Very low: measures in place effective against the threat
Medium: measures insufficient or inappropriate
High: no effective protection measures in place
Very high: lack of measures, or obsolete or irrelevant
19

Criteria > Risk acceptance criteria
(1)
Formula:
Risk level = max(concerned impact) * (threat +
vulnerability 1)
Max(I) * (T+V-1)
10
12
15
20

Criteria > Risk acceptance criteria
(2)
Example
An unacceptable risk is:
A very likely risk
With inadequate or inappropriate measures
Threat = 3
Vulnerability = 1
And whose asset value is 3
Impact = 3
RL = 3 * (3 + 1 - 1) = 9
Max(I) * (T+V-1)
10
12
15
21

Criteria > The scope and boundaries
Generally the first step (chronologically)
Definition of:
Activity, processes to take into account

Objectives
Study borders (geographically, logically, ...)
Legal constraints
Etc.
22

Criteria > Organization for ISRM
Roles and responsibilities definition for the risk
management process
Must be documented
23
Process
24
Risk assessment
Risk analysis
Risk identification
Risk estimation
Risk evaluation
25
Risk assessment > Risk

identification > Asset identification
(1)
Primary asset identification
business processes and activities, information
Support assets identification (and mapping)
Hardware, software, networking, people, facilities

Knowledge bases available (e.g. EBIOS method)
For each asset
Owner identification
Value determination
Qualitative, quantitative, semi quantitative
26

identification > Asset identification
(2)
For each asset, impact determination
Based on impact criteria
if criteria X of asset A is not fulfil, the impact would
be...
Confidentiality
Integrity
Availability
Public
No constraint
No constraint
Restricted
Change visible
Unavailable 1 week/year
Very restricted
Change reduced
Unavailable 1 day/year
Secret
Can not be altered
Always available
27

identification > Threat and
vulnerabilities identification
Knowledge bases
Interviews, brainstorming
Expert analysis
Take into account controls already in place
(vulnerabilities)
For threats, take into account:
Deliberate
Accidental
28
Risk assessment > Risk estimation
Risk = (Threat * Vulnerability * Impact)

Use of the formula
Risk level = max(concerned impact) * (threat +
vulnerability 1)
Value for each identified risk
29
Risk evaluation
Comparison
Obtained risk levels from risk assessment

Defined risk acceptance levels
Max(I) * (T+V-1)
10
12
15
30
Process
31
Risk treatment
4 choices
Risk Reduction
Risk Retention
Risk Avoidance
Risk Transfer
Risk
treatment
Risk
Reduction
Risk
Retention
Risk
Avoidance
Risk
Transfer
Can be combined
Results on a risk treatment plan
32
Risk treatment > Risk reduction
Controls (measures) are implemented to reduce the

risk
It generally affects the vulnerability
ISO/IEC 27002 proposes a set of controls

Constraints for risk reduction exist
Time, financial, technical, etc...
33
Risk treatment > Risk retention
Risk is accepted
Nothing is done to reduce it
Generally when risk level is less than risk acceptance

value
But can be decided when risk is greater than risk
acceptance value
Negative ROSI
Risk-taking
34
Risk treatment > Risk avoidance
Risk is refused
business function cancelled
Generally if the risk is too high and that no costeffective solution is found
35
Risk treatment > Risk transfer
Risk is transferred or shared with third party
Outsourcing
Insurance
Generally for high impact risks with low occurrence

Can create other risks or modify existing risks
Transfer the responsibility to manage the risk but not
the liability of an impact
36
Process
37
Risk acceptance
Risks effectively treated
Review of the risk treatment

Validation of selected solutions
Selection of residual risks
Residual risks
Accepting a number of risks that can consider itself unable to

deal, or are acceptable to the organization
38
Process
39
Risk communication
Continuous step
Obtain and communicate with all the stakeholders
Collect information on risks and security

Share risk assessment results
Present risk treatment plan
Awareness
Etc.
40
Process
41
Risk monitoring and review
Continuous step
Risks are constantly changing, all risk equation
elements must be tracked!
New assets
New threats
New vulnerabilities
Incidents
Etc.
Minor changes vs. major changes
42
Thanks for your attention!
Any questions?
jocelyn.aubert@tudor.lu
43

ISO/IEC 27005 Risk Management Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO/IEC 27005 Risk Management Guide

Uploaded by

Copyright:

Available Formats

Information security risk management

using ISO/IEC 27005:2008

Herv Cholez / Sbastien Pineau

March, 29th 2011

TAO Workshop on CBA Security

ISO/IEC 27005 is a standard that propose a way to

For the moment... discussions in progress!

* ISMS: Information Security Management System

Risk = (Threat * Vulnerability * Impact)

Vulnerability: intrinsic to the object or situation

Example: burglary in your house

Vulnerability: your home keys under your carpet

TAO Workshop on CBA Security

Information Security Risk? (1/3)

potential that a given threat will exploit vulnerabilities of

TAO Workshop on CBA Security

Information Security Risk? (2/3)

anything that has value to the organization

Potential cause of an unwanted incident, which may result in

Accidental (unintentional human action)

Information Security Risk? (3/3)

weakness of an asset (or control) that can be exploited by a

adverse change to the level of business objectives achieved

TAO Workshop on CBA Security

property that information is not made available or disclosed to

internal disclosure, external disclosure...

property of protecting the accuracy and completeness of

accidental modification, deliberate modification, incorrect results,

property of being accessible and usable upon demand by an

performance degradation, short-term/long-term interruption, total

Information security risk

Improve information system security

TAO Workshop on CBA Security

Information technology Security techniques

TAO Workshop on CBA Security

Gestion des risques

Dfinition d'une Politique

Outil de gestion des

Audit blanc 27001

TAO Workshop on CBA Security

TAO Workshop on CBA Security

TAO Workshop on CBA Security

Context establishment > Basic

TAO Workshop on CBA Security

Context establishment > Basic

The strategic value of the business information process

Enables to prioritize risks

TAO Workshop on CBA Security

Context establishment > Basic

Loss < 1000

1000 < Loss < 5000

Risk affecting the internal operation

5000 < Loss < 10000

Risk affecting customers

Loss > 10000

Clear differentiation between levels

TAO Workshop on CBA Security

Context establishment > Basic

Level of classification of the impacted information asset

TAO Workshop on CBA Security

Context establishment > Basic

Can not be altered