Scribd
Upload
516 views25 pages

ISO 27005 Presentation Slide

This document provides an overview of risk assessment as per ISO 27005. It discusses that risk assessment involves risk identification, estimation, and evaluation. The risk identification process involves identifying assets, threats, existing controls, and vulnerabilities. Risk estimation specifies a measure of risk using qualitative or quantitative methods. Finally, risk evaluation compares and prioritizes risks based on evaluation criteria and acceptance criteria. The document outlines the iterative risk assessment workflow prescribed by ISO 27005.

Uploaded by

Taseen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
516 views25 pages

ISO 27005 Presentation Slide

This document provides an overview of risk assessment as per ISO 27005. It discusses that risk assessment involves risk identification, estimation, and evaluation. The risk identification process involves identifying assets, threats, existing controls, and vulnerabilities. Risk estimation specifies a measure of risk using qualitative or quantitative methods. Finally, risk evaluation compares and prioritizes risks based on evaluation criteria and acceptance criteria. The document outlines the iterative risk assessment workflow prescribed by ISO 27005.

Uploaded by

Taseen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 25

Risk Assessment as per ISO

27005

Presented by Dharshan
Shanthamurthy, Risk Assessment
Evangelist WWW.SMART‐RA.COM

SMART‐RA.COM is a patent pending product of SISA Information Security Pvt.


Ltd.
What is Risk Assessment?
• NIST SP 800‐30
Risk Assessment is the analysis of threats in conjunction with
vulnerabilities and existing
controls.

A OCTAVE
• Risk Assessment will provide information needed to make
risk management decisions regarding the degree of
security remediation.
• ISO 27005
Risk Assessment = Identification, Estimation
and Evaluation
Why Risk
Regulatory
Assessment?
Compliance
Compliance Risk Assessment
Requirement Standard
PCI DSS Formal and structured risk assessment based on methodologies like ISO
Requiremen 27005, NIST SP 800‐30, OCTAVE, etc.
t 12.1.2
HIPAA Conduct an accurate and thorough assessment of the potential risks and
Section vulnerabilities to the confidentiality, integrity, and availability of
164.308(a)(1) electronic protected health information held by the covered entity.
FISMA 3544 Periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices, to be performed at least
annually.
ISO 27001 Risk assessments should identify risks against risk acceptance criteria and
Clause organizational objectives. Risk assessments should also be performed
4.1 periodically to address changes in the security requirements and in the
risk situation.
GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act,
HITRUST……
Why Risk
Assessment?
Business Rationale
Function
Explanation
Return on Structured RA Methodology follows a systematic and pre‐
Investmen defined approach, minimizes the scope of human error, and
t emphasizes process driven, rather than human driven
activities.
Budget Assists in controls cost planning and
Allocation justification
Control Cost and effort optimization by optimizing controls selection
s and implementation

Efficient Resource optimization by appropriate delegation of actions related


utilization to controls implementation.
of
resources
What is IS-RA?
Risk assessment is the cornerstone of any information
security program, and it is the fastest way to gain a
complete understanding of an organization's security
profile – its strengths and weaknesses, its vulnerabilities
and exposures.

“IF YOU CAN’T MEASURE IT

…YOU CAN’T MANAGE IT!”


Reality Check
• ISRA– a need more than a want
• Each organization has their own ISRA
• ISRA learning
•curve
Cumbersome – 1000 assets, 20 worksheets
• Two months efforts
• Complicated report
Exercis
e
• Threat Scenarios
• Threat Profiles to be
filled.
Risk Assessment reference
points• OCTAVE
• NIST SP 800‐30
• ISO 27005
• COSO
• Risk
•ITISO 31000
• AS/NZS 4360
• FRAP
• FTA
• MEHARI
ISO 27005
Introduction
• ISO 27005 is an Information Security Risk Management guideline.

• Lays emphasis on the ISMS concept of ISO 27001: 2005.

• Drafted and published by the International Organization


for Standardization (ISO) and the International
Electrotechnical
Commission (IEC)

• Provides a RA guideline and does not recommend any


RA methodologies.

• Applicable to organizations of all types.


ISO 27005
Workflow
• Advocates an iterative
approach to risk assessment

• Aims at balancing time and


effort with controls efficiency
in mitigating high risks

• Proposes the Plan‐Do‐Check‐


Act cycle.

Source: ISO 27005


Standard
ISO 27005 Risk Assessment
Information Security Risk Assessment = Risk Analysis +
Risk Evaluation
Risk Analysis:
Risk Analysis = Risk Identification + Risk Estimation

1.Risk Identification
Risk characterized in terms of organizational conditions

• Identification of Assets: Assets within the defined scope


• Identification of Threats: Based on Incident Reviewing,
Asset Owners, Asset Users, External threats, etc.
ISO 27005 Risk Assessment
Contd. • Identification of Existing Controls: Also check if the controls are
working correctly.
• Identification of Vulnerabilities: Vulnerabilities are shortlisted
in organizational processes, IT, personnel, etc.
• Identification of Consequences: The impact of loss of
CIA of assets.

2. Risk Estimation
– Specifies the measure of risk.

• Qualitative Estimation
• Quantitative Estimation

Risk Evaluation:
• Compares and prioritizes Risk Level based on Risk Evaluation Criteria and
Risk Acceptance Criteria.
ISO 27005 RA
Workflow
Step 1 Step 2 Step 3 Step 4

General Risk
Description Risk Analysis:
Risk
Analysis: Risk
of ISRA Risk
Identificatio Evaluation
Estimation
n
Step 1
General
Risk Analysis: Risk Analysis:
Description Risk Risk Estimation
Risk
Evaluation
of ISRA Identification

1. General Description of
ISRA

Identify, Assessed risks


Basic Criteria
Describe prioritized according
Scope and
(quantitatively or to Risk Evaluation
Boundaries
qualitatively) Criteria.
Organization for ISRM
and Prioritize
Risks
Step 2
Risk
General
Description
of Analysis: Risk Analysis:
Estimation
Risk
Risk
Evaluation
ISRA Identification
Risk

2. Risk Analysis: Risk


Identification
Identification of Assets
Scope and
List of Assets.
Boundaries Asset
Assets are List of associated
owners
defined business
Asset
processes.
Location
Asset
function
Step 2
Risk
General
Description
of Analysis: Risk Analysis:
Estimation
Risk
Risk
Evaluation
ISRA Identification
Risk

2. Risk Analysis: Risk


Identification
Identification of
Threat Threats
fro
Information • Threats
• Review of
m Threats are • Threat
Incidents defined source
• Asset Users,
Owners • Threat type
etc.
Step 2
Risk
General
Description
of Analysis: Risk Analysis:
Estimation
Risk
Risk
Evaluation
ISRA Identification
Risk

2. Risk Analysis: Risk Identification


Identification of Existing
Controls
• Existing
• Documentation and
planned
Existing and
of controls controls
planned controls
• RTP • Implementatio
are defined
• Usage
n status
status
Step 2
Risk
General
Description
of Analysis: Risk Analysis:
Estimation
Risk
Risk
Evaluation
ISRA Risk
Identification

2. Risk Analysis: Risk Identification


Identification of
Vulnerabilities
• Vulnerabilities
• Identified Assets
to
related
assets,
• Identified Vulnerabilities
threats, controls.
Threats are identified
• Vulnerabilities
• Identified
not
related to any
Existing Controls
threat.
Step 2
Risk
General
Description
of Analysis: Risk Analysis:
Estimation
Risk
Risk
Evaluation
ISRA Identification
Risk

2. Risk Analysis: Risk Identification


Identification of
Consequences
• Incident
• Assets and
scenarios
with their
business processes The impact of the
consequences
• Threats and loss of CIA is
related to assets
vulnerabilities identified
business
and
processes
Step 3
Risk
General Risk Analysis:
Description
of Risk
Identification Analysis:
Risk Risk
Evaluation
ISRA Estimatio
n
3. Risk Analysis: Risk Estimation
Risk Estimation Methodologies

(a)Qualitative Estimation: High, Medium,


Low
(b)Quantitative Estimation: $, hours, etc.
Step 3
Risk
General Risk Analysis:
Description
of Risk
Identification Analysis:
Risk Risk
Evaluation
ISRA Estimatio
n
3. Risk Analysis: Risk Estimation
Assessment of
consequences
• Assets and Assessed
The business
business
processes consequences
of an incident
impact from
• Threats and scenario expressed in
information
vulnerabilitie terms of assets and
security incidents is
• Incident
s criteria
impact
assessed.
scenarios .
Step 3
Risk
General Risk Analysis:
Description
of Risk
Identification Analysis:
Risk Risk
Evaluation
ISRA Estimatio
n
3. Risk Analysis: Risk Estimation
Level of Risk
Estimation
• Incident scenarios
with their Level of risk is
consequence estimated for all List of risks with
s relevant value levels
• Their likelihood incident assigned.
(quantitative scenarios
or qualitative).
Step 4

General Risk Analysis: Risk Analysis: Risk


Risk
Identification Risk
Estimation
Description
of
ISRA
Evaluatio
n

4. Risk Analysis: Risk Estimation


Level of Risk
Estimation
Risks
Level of risk is
• Risks with value prioritizedto risk
according
compared against risk
levels assigned and evaluation criteria in
evaluation criteria and
risk evaluation relation to the
risk acceptance
criteria. incident
scenarios.
criteria
Summary
• Keep it Simple and Systematic
• Comprehensive
• Risk sensitive culture in the
•organization.
Drive security from a risk management
perspective, rather only a
compliance perspective.
• Help RA to help you…
Questions?

Be a Risk Assessment
Evangelist!
IS‐RA Forum on Linkedin
SMART‐RA Forum on
Linkedin

Dharshan Shanthamurthy, E‐
mail: dharshan.shanthamurthy@sisa.in
Phone: +91‐99451 22551

You might also like