Information Security Management System

(ISMS)
ISO27001 Risk Assessment Approach
March 2012
Security Risk Assessment
Overview
2
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
The first step in risk assessment is the identification of all
information assets in the organisation - i.e. of all assets which may
affect the security of information in the organisation.
A value is assigned to each asset in terms of the worst-case impact
the loss of confidentiality, integrity or availability of the asset may
have on the organisation. This acts as an asset prioritisation
mechanism, with only higher-value assets being taken through to
the next stage.
The next step is to identify all threats and vulnerabilities associated
with the higher-value assets identified. Every asset may be
associated with several threats, and every threat may be associated
with several vulnerabilities.
The probability of threats exploiting the vulnerabilities is then
assessed, along with the impact should this occur, based on the
assumption that no controls are in place. From this assessment, a
pre-control (or inherent) risk score is calculated. Risk with a
medium to high score is then taken on to the next step.
Existing controls or mitigating factors which reduce the impact or
probability of each risk is identified, and the impact and probability
scores are reassessed to reflect the impact of these controls
Risks with scores above the acceptable risk threshold will then be
raised on the Information Security risk register, where mitigating
actions will be tracked by the Information Security team, and
reported and escalated.


3
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
Assets are defined as anything which may affect confidentiality, integrity
and availability of information in the organisation

Information e.g. Human resources data, Financial data, Marketing
data, Employee passwords, Source code, System documentation,
Intellectual property, Data for regulatory requirements, Strategic
plans, Employee business contact data, Employee personal contact
data, Purchase order data, Network infrastructure design, Internal
Web sites
Technology e.g. Servers, Desktop computers, Laptops, Tablet,
Smart phones, Server application software, End-user application
software, Development tools, Routers, Network switches, PBXs,
Removable media, Power supplies, Uninterruptible power supplies
Services e.g. E-mail/scheduling, Instant messaging, Active Directory
directory service, Domain Name System (DNS), Dynamic Host
Configuration Protocol (DHCP), Enterprise management tools, File
sharing, Storage, Dial-up remote access, Telephony Virtual Private
Networking (VPN) access , Collaboration services (for example,
Microsoft SharePoint)
People e.g. Subject matter experts, administrators, developers,
third party support, end-users



Asset identification
4
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
Asset
Value
Consequence of Loss of CIA
High
Loss of confidentiality, availability or integrity has considerable
and immediate impact on the organisation's cash flow,
operations, legal or contractual obligations, or its reputation.
Medium
Loss of confidentiality, availability or integrity incurs additional
costs and has a low or moderate impact on legal or contractual
obligations, or the organisation's reputation.
Low
Loss of confidentiality, availability or integrity does not affect the
organisation's cash flow, operations, legal or contractual
obligations, or its reputation.
The asset is valued in terms of the impact of total loss of the asset in
terms of confidentiality, integrity or availability. Each asset will given a
High, Medium or Low rating as its value. Assets considered High and
Medium will be
Asset Valuation
5
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
For each asset, what can impact its confidentiality, integrity, or
availability?

Catastrophic incidents e.g. Fire, Flood, Earthquake, Severe storm,
Terrorist attack, Civil unrest/riots, Landslide, Industrial accident

Mechanical failure e.g. Power outage, Hardware failure, Network
outage, Environmental controls failure, Construction accident

Non-malicious person e.g. Uninformed employee, Uninformed user

Malicious person e.g. "Hacker, cracker", Computer criminal,
Industrial espionage, Government sponsored espionage, Social
engineering, Disgruntled current employee, Disgruntled former
employee, Terrorist, Negligent employee, Dishonest employee
(bribed or victim of blackmail), Malicious mobile code
Identify Threats
6
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
For each asset, are there vulnerabilities that can be exploited by the
threat?

Physical e.g. Unlocked doors, Unlocked windows, Walls susceptible
to physical assault, Interior walls do not completely seal the room at
both the ceiling and floor

Hardware e.g. Missing patches, Outdated firmware, Misconfigured
systems, Systems not physically secured, Management protocols
allowed over public interfaces

Software e.g. Out of date antivirus software, Missing patches,
Poorly written applications, Deliberately placed weaknesses,
Configuration errors

Communications e.g. Unencrypted network protocols, Connections
to multiple networks, Unnecessary protocols allowed, No filtering
between network segments

Human e.g. Poorly defined procedures, Stolen credentials
Identify Vulnerabilities
7
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
For each asset/threat/vulnerability combination, determine the
probability of the specific risk materialising:

Probability Guidance
Certain
History of regular occurrence.
The event will occur (recur)
No special skills or determination required; information
asset easily available.
Likely The event will occur (recur) in most circumstances
Possible
Has occurred in the past.
The event may well occur (recur) at some time
No special skills required except for time and
determination.
Unlikely The event could occur (recur) at some time
Rare
No history of occurrence.
The event may only happen in exceptional circumstances
High level of technical or social engineering skill and
determination required.
Determine Risk Probability
8
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
Business Impact
Rating
Characteristics
Catastrophic
For example: Service disruption / failure > 1 week; Direct financial
loss > 50% PBT / > 10% fall in share price; Business/ reputation
impact e.g. legal action (including custodial sentence) / extensive
external media attention / failure to achieve 1 or more corporate
objective
Major
For example: Service disruption / failure 1-5 days; Direct financial
loss 15-50% PBT; Health & safety incident e.g. fatality /
permanent disability; Business/ reputation impact e.g. legal action /
national attention from media or regulators
Moderate
For example: Service disruption / failure 1 day; Direct financial loss
5-15% PBT; Health & safety incident e.g. fractures / time off;
Business/ reputation impact e.g. legal action / local media or
regulatory attention
Minor
For example: Service disruption <1 day; Direct financial loss < 5%
PBT; Health & safety incident e.g. cuts / bruises; Business /
reputation impact e.g. complaint or legal action
Insignificant
For example: Service disruption none / minor; Direct financial loss
negligible; Health & safety incident none / very minor; Business /
reputation impact- systems could be improved
For each asset/threat/vulnerability combination, consider the business
impact should the risk materialise: (to be determined per organisation)
Determine Risk Impact
9
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
The inherent risk score is calculated based on the likelihood and impact
values selected in the previous section. (to be determined per
organisation)
High Asset
Value
Rare Unlikely Possible Likely Certain
Insignificant 1 2 3 4 5
Minor 2 4 6 8 10
Moderate 3 6 9 12 15
Major 4 8 12 16 20
Catastrophic 5 10 15 20 25
I
m
p
a
c
t
Likelihood
Medium
Asset Value
Rare Unlikely Possible Likely Certain
Insignificant 1 2 2 3 4
Minor 2 3 5 6 8
Moderate 2 5 7 9 11
Major 3 6 9 12 15
Catastrophic 4 8 11 15 19
Likelihood
I
m
p
a
c
t
Security Risk Assessment
Overview
10
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
For each risk with a significant risk rating, identify the existing controls
and mitigating factors that reduce the likelihood and impact ratings.

Control examples (from ISO27001 Annex A):
Physical security controls e.g. Secure areas, Equipment security

IT operations management controls e.g. Network security
management, Data backup, Media handling, Anti-malware,
Vulnerability management, Auditing/monitoring

Access controls e.g. access management, O/S access controls,
application access controls, network access controls, remote access
controls

Secure development controls e.g. security requirements, data
integrity controls, security design, security testing

Business continuity planning

Employee security controls e.g. Joiners screening, Terms &
Conditions, security training , disciplinary procedures, leavers
access termination, return of assets

Identify controls
11
Identify & value
assets
Identify threats
Identify
vulnerabilities
Assess inherent
risk
Identify
controls
Determine
residual risk
Feed into risk
treatment plan
Taking into account the effect of the controls and mitigating factors
identified, reassess the probability and impact scores to determine the
post-control risk score. In all likelihood, a number of risks will now
score below the significant risk threshold.

Where risks still have an above significant score, these will be raised
on the Information Security risk register which will be created as part of
the Group IT ISMS implementation.

Risk treatment plans will then be recorded and tracked as part of the
Information Security risk management process.
Determine post control risk