How ISDPTool helps defining your ISO27001 risk treatment plan

• Stéphane Adamiste
• 17 Oct 2020
• 0 Comments

ISO27001 risk treatment : As a security practitioner managing an ISO27001 ISMS, you may be confronted to the difficulty of elaborating an annual risk treatment plan, which defines the security activities to be conducted during the next Plan-Do-Check-Act cycle and requires executive management approval.

Here are some of the challenges that you need to address:

• Adopt the right level of details for the plan. Due to the necessary holistic approach that characterizes information security management, your risk treatment plan is likely to cover many risks and each risk be addressed by even more mitigating security measures. A too simplistic approach will miss some key-elements, while a too detailed view leads to incomprehensible and unmanageable action plans
• Ensure that the plan contains most relevant security measures for the organization. This implies being able to obtain an accurate picture of the actual vulnerabilities affecting the information assets processed by the organization in the first place
• Be able to prioritize the actions composing  the risk treatment plan, as organizations have limited resources to dedicate to information security management

A few hints on how to tackle those issues:

Adopt a consistent threat catalogue. Ask yourself the following questions: Does my catalogue provide an exhaustive picture of the information risks faced by my organization? Is my catalogue explicit enough to allow the identification of concrete risk mitigation measures?

The following are real examples I have experienced:

• Once, during a workshop, one of the participants proposed “Lack of security resources” as a risk. (Isn’t it rather a vulnerability?). In my view, such an entry into a threat catalogue is problematic, as the logical countermeasure, “Hire information security personnel” is far too vague, i.e. you will not be able to demonstrate concretely how this measure has an impact on information security.
• “Damage on company image” is another item I regularly come across, which I do not find specific enough. What kind of mitigation measures is the concerned organization supposed to take to mitigate the risk? (isn’t it rather a risk impact category by the way?). In this case, it would be appropriate to identify possible threat scenarios likely to lead to a damaged image, and work on those.

The choice that has been made in ISDPTool is to define 6 threat categories, each of them containing a number of subcategories. We believe that this level of abstraction is adequate to interact with an executive board or an enterprise risk management function, while the list of standard individual threats offer an exhaustive coverage of possible adverse scenarios to be used in detailed risk assessments.

Perform detailed risk assessments of your information systems. Risk perception being highly subjective, the relevance of your risk treatment plan highly depends on your ability to provide tangible elements as a basis for decision making. Only detailed analysis of your information systems’ security posture will provide you with such rationales.

ISDPTool speeds-up the detailed risk assessment process and allows you to identify the existing gaps (in terms of ISO27002 controls) affecting your individual information systems and to obtain an accurate consolidated view of your environment’s security posture. Indicators provided include:

• For each threat, the number of applicable controls implemented and not implemented
• The number of threats concerned by non-implemented controls
• The percentage of implemented applicable controls by threat
• The percentage of implemented controls likely to protect your critical information against confidentiality, integrity and availability breaches

These factual elements may be leveraged to determine the most appropriate actions to take to reduce risks to an acceptable level for the organization. Most importantly, analysis of those figures allows determining priorities in the implementation of missing controls.

Work on a security baseline to reduce the workload incurred by detailed risk assessments. You should strive to increase the maturity of your ISO27002 controls until you get sufficient confidence that they are effective. This will allow you to concentrate on immature and specific controls when performing a detailed risk assessment.

ISDPTool provides a consolidated view on the status and effectiveness of the ISO27002 security controls applied to your individual information systems, thus allowing to rank their maturity accurately.

The illustration below shows the kind of templates I typically use to document a risk treatment plan.

 

Now let us have a look at a concrete example, the "Hacme casino" application (watch our video on threat modelling for more information), for which we have conducted a risk assessment for educational purpose.

So far, 59% of the applicable controls have been implemented.

Let us imagine that Hacme casino is ISO27001 certified and we need to define a risk treatment plan. We have several ways to proceed. First, let us have a look at the threat categories status.

We notice that around 55% of the applicable controls for the "Breakdown/malfunction" threat category are implemented. There is probably room for improvement here.

Indeed, if we compare the threats by percentage of controls implemented, the last 5 items belong to the "Breakdown/malfunction" category.

Those threats have an impact on the availability criteria. If we look at the critical information assets processed by the application, we note that the availability criteria is set to "medium". Unavailability of the data leads to loss of earnings for the platform, and also affects its reputation.

What additional controls could be implemented to reduce risks in the category "Breakdown/malfunction"? To assist in this task, we may look at the non-implemented controls.

Among non-implemented controls, we can see that 15.2.1 Monitoring and review of supplier services and 15.2.2 Managing changes to supplier services contribute to the mitigation of 17 threats. Those controls do not have an important risk reduction factor, but they are good candidates for the risk treatment plan, because of the large number of threats they mitigate. The explanation is that the Hacme casino application is developed by an external company (supplier 1) and hosted in a remote datacentre (supplier 2), which constitute possible intentional or accidental threat agents.

Implementing those controls would contribute to the mitigation of some threats belonging to the "Breakdown/malfunction" category.

The same applies for controls from ISO27002 chapter A17 Information Security Continuity, e.g.:

Therefore, it definitely makes sense to include those controls in our risk treatment plan too.

These are examples of the visibility procured by ISDPTool on the security status of information systems, which allow to elaborate contextualised, relevant risk treatment plans.

In our example, we consider only one system, but the same indicators could be used to identify possible improvements organization wide, as ISDPTool aggregates data for all systems composing your IT environment.

Do you think that our approach could be beneficial to improve information security management in your organization? Contact us to submit your questions or ask for a test account on ISDPTool!

ISO27001 risk treatment