ISO27001 risk treatment : As a security practitioner managing an ISO27001 ISMS, you may be confronted to the difficulty of elaborating an annual risk treatment plan, which defines the security activities to be conducted during the next Plan-Do-Check-Act cycle and requires executive management approval.
Here are some of the challenges that you need to address:
A few hints on how to tackle those issues:
Adopt a consistent threat catalogue. Ask yourself the following questions: Does my catalogue provide an exhaustive picture of the information risks faced by my organization? Is my catalogue explicit enough to allow the identification of concrete risk mitigation measures?
The following are real examples I have experienced:
The choice that has been made in ISDPTool is to define 6 threat categories, each of them containing a number of subcategories. We believe that this level of abstraction is adequate to interact with an executive board or an enterprise risk management function, while the list of standard individual threats offer an exhaustive coverage of possible adverse scenarios to be used in detailed risk assessments.
Perform detailed risk assessments of your information systems. Risk perception being highly subjective, the relevance of your risk treatment plan highly depends on your ability to provide tangible elements as a basis for decision making. Only detailed analysis of your information systems’ security posture will provide you with such rationales.
ISDPTool speeds-up the detailed risk assessment process and allows you to identify the existing gaps (in terms of ISO27002 controls) affecting your individual information systems and to obtain an accurate consolidated view of your environment’s security posture. Indicators provided include:
These factual elements may be leveraged to determine the most appropriate actions to take to reduce risks to an acceptable level for the organization. Most importantly, analysis of those figures allows determining priorities in the implementation of missing controls.
Work on a security baseline to reduce the workload incurred by detailed risk assessments. You should strive to increase the maturity of your ISO27002 controls until you get sufficient confidence that they are effective. This will allow you to concentrate on immature and specific controls when performing a detailed risk assessment.
ISDPTool provides a consolidated view on the status and effectiveness of the ISO27002 security controls applied to your individual information systems, thus allowing to rank their maturity accurately.
The illustration below shows the kind of templates I typically use to document a risk treatment plan.
Now let us have a look at a concrete example, the "Hacme casino" application (watch our video on threat modelling for more information), for which we have conducted a risk assessment for educational purpose.
So far, 59% of the applicable controls have been implemented.
Let us imagine that Hacme casino is ISO27001 certified and we need to define a risk treatment plan. We have several ways to proceed. First, let us have a look at the threat categories status.
We notice that around 55% of the applicable controls for the "Breakdown/malfunction" threat category are implemented. There is probably room for improvement here.
Indeed, if we compare the threats by percentage of controls implemented, the last 5 items belong to the "Breakdown/malfunction" category.
Those threats have an impact on the availability criteria. If we look at the critical information assets processed by the application, we note that the availability criteria is set to "medium". Unavailability of the data leads to loss of earnings for the platform, and also affects its reputation.
What additional controls could be implemented to reduce risks in the category "Breakdown/malfunction"? To assist in this task, we may look at the non-implemented controls.
Among non-implemented controls, we can see that 15.2.1 Monitoring and review of supplier services and 15.2.2 Managing changes to supplier services contribute to the mitigation of 17 threats. Those controls do not have an important risk reduction factor, but they are good candidates for the risk treatment plan, because of the large number of threats they mitigate. The explanation is that the Hacme casino application is developed by an external company (supplier 1) and hosted in a remote datacentre (supplier 2), which constitute possible intentional or accidental threat agents.
Implementing those controls would contribute to the mitigation of some threats belonging to the "Breakdown/malfunction" category.
The same applies for controls from ISO27002 chapter A17 Information Security Continuity, e.g.:
Therefore, it definitely makes sense to include those controls in our risk treatment plan too.
These are examples of the visibility procured by ISDPTool on the security status of information systems, which allow to elaborate contextualised, relevant risk treatment plans.
In our example, we consider only one system, but the same indicators could be used to identify possible improvements organization wide, as ISDPTool aggregates data for all systems composing your IT environment.
Do you think that our approach could be beneficial to improve information security management in your organization? Contact us to submit your questions or ask for a test account on ISDPTool!
Our team will get back to you as soon as possible