ISO/IEC 27005

ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). 

The purpose of ISO/IEC 27005 is to provide guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. It does not specify, recommend or even name any specific risk analysis method, although it does specify a structured, systematic and rigorous process from analyzing risks to creating the risk treatment plan.

At around 60 sides, ISO/IEC 27005 is a heavyweight standard although the main part is just 24 pages, the rest being mostly annexes with examples and further information for users.  There is quite a lot of meat on the bones, reflecting the complexities in this area.
Although the standard defines risk as “a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event”, the risk analysis process outlined in the standard indicates the need to identify information assets at risk, the potential threats or threat sources, the potential vulnerabilities and the potential consequences (impacts) if risks materialize.  Examples of threats, vulnerabilities and impacts are tabulated in the annexes; although incomplete, these may prove useful for brainstorming risks relating to information assets under evaluation.  It is clearly implied that automated system security vulnerability assessment tools are insufficient for risk analysis without taking into account other vulnerabilities plus the threats and impacts: merely having certain vulnerabilities does not necessarily mean your organization faces unacceptable risks if the corresponding threats or business impacts are negligible in your particular situation.
The standard includes a section and annex on defining the scope and boundaries of information security risk management which should, I guess, are no less than the scope of the ISMS. The standard doesn't specify, recommend or even name any specific method (such as those listed in the ISO27k FAQ), although it does specify a structured, systematic and rigorous method of analyzing risks through to creating the risk treatment plan. 
The standard deliberately remains agnostic about quantitative and qualitative risk assessment methods, essentially recommending that users choose whatever methods suit them best, and noting that they are both methods of estimating, not defining, risks.  Note the plural -  'methods' - the implication being that different methods might be used for, say, a high-level risk assessment followed by more in-depth risk analysis on the high risk areas.  The pros and cons of quantitative vs qualitative methods do get a mention, although the use of numeric scales for the qualitative examples is somewhat confusing.
The steps in the process are (mostly) defined to the level of inputs -> actions -> outputs, with additional “implementation guidance” in similar style toISO/IEC 27002. The standard incorporates some iterative elements e.g. if the results of an assessment are unsatisfactory, you loop-back to the inputs and have another run through.  For those of us who think in pictures, there are useful figures giving an overview of the whole process and more detail on the risk assessment -> risk treatment -> residual risk bit.
Managing and measuring risk with ISO 27005

The process of managing information security risk includes many overlapping and poorly differentiated steps (or clauses, to use ISO-speak):
  • Context establishment
  • Risk assessment
  • Risk treatment
  • Risk acceptance
  • Risk communication
  • Risk monitoring and review
What, for example, is the context of risk management if not the sum of all the other steps? Does not communication of risk include monitoring and reviewing? The most aggressively confusing section of ISO 27005 is the one on risk assessment, which includes risk analysis and risk evaluation. Risk analysis in turn is made up of risk identification and risk estimation. Some (but not all) of these terms are defined in the glossary, but in so arbitrary a manner that a perfectly valid alternative approach could use the same terms in a different way or use different terms altogether and still achieve the same objective: managing risk.

Missing from ISO 27005: Risk estimation

What does not appear in the standard is the measurement of risk. It is axiomatic that what cannot be measured cannot be managed. The omission of risk measurement from the standard is significant enough that, whether mentioned or not, it must be performed by anyone seriously attempting to manage risk. Measurement is addressed indirectly by risk estimation, in the same sense that all estimates are measurements of a sort, but not vice versa "About a foot" is not the same as "12 1/2 inches," as anyone who has ever had to cut window glass can testify.

It doesn’t really add anything remarkable or special that we don’t already have in place in any number of other documents and standards.  It would seem that its only demonstrative use is for the purposes of auditing to standard compliance.  And I have to think that this is really what this document is all about, something more to serve the ISMS and the cottage industry that surrounds it.   And that’s a shame, because the field of risk management could really use someone like the ISO really putting forth a significant and good effort.

0 Response to "ISO/IEC 27005"

Post a Comment