The "No Network is 100% Secure" series
- ISO/IEC 27005:2008 -
A New Standard for Security Risk Management

All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us


ISO/IEC 27005:2008: Organizations of all types are concerned with threats that could compromise information security. Managing this aspect is usually a primary concern for information technology (IT) departments. In this context, Information Security Risk Management should be an integral part of all information security management activities and should be applied both to the implementation and the ongoing operation of an Information Security Management System (ISMS). In fact, a systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective ISMS.

The ISO/IEC 27005:2008, a new standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), describes the Risk Management Process and its activities for information security and provides guidelines for Information Security Risk Management and supports the general concepts specified in ISO/IEC 27001:2005. The ISO information security risk management process can be applied to the organization as a whole; any discrete part of the organization (e.g. a department, a physical location, a service); any information system; and any existing, planned, or particular aspect of control (e.g. business continuity planning).

The information security risk management process consists of:
Context Establishment: intends to define the risk management's boundary.
Risk Analysis (Risk Identification & Estimation phases): intends to evaluate the risk level.
Risk Assessment (Risk Analysis & Evaluation phases): used to make decisions and take into account the objectives of the organization.
Risk Treatment (Risk Treatment & Risk Acceptance phases): to reduce, retain, avoid or transfer the risks.
Risk Communication: to achieve agreement on how to manage risks by exchanging and/or sharing information about risk between the decision makers and other stakeholders.
Risk Monitoring and Review: to detect any chances in the context of the organization at an early stage, and to maintain an overview of the complete risk snapshot.

Context Establishment phase: all information about the organization relevant to the information security risk management context is established. This involves setting the basic criteria necessary for information security risk management (risk evaluation criteria, impact criteria, risk acceptance criteria, etc.), defining the scope and boundaries (all relevant assets, business objectives, business processes, strategies and policies, legal and regulatory requirements applicable to the organization, interfaces, etc.) and establishing an appropriate organization operating the information security risk management (roles and responsibilities).

Risk Identification phase: determines the value of the information assets, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effect on the risk identified and determines the potential consequences. In particular, Risk Identification consists of the following activities:

Assets Identification (within the established scope): performs at a suitable level of detail that provides sufficient information for the risk assessment. The level of detail used on the asset identification influence the overall amount of information collected during the risk assessment. The level can be refined in further iterations of the risk assessment.

Threats Identification: in this activity threats are identified generically and by type (e.g. unauthorized actions, physical damage, and technical failures). In this activity internal experience from incidents and past threat assessments should be i considered.

Controls Identification: identification of existing controls and check to ensure that the controls are working correctly. Controls that are to be implemented according to the risk treatment implementation plans should be considered in the same way as those that already implemented. For the identification of existing or planned controls, could be review documents containing information about the controls, check with the people responsible for information security and the users as to which controls are really implemented, conduct an on-site review of the physical controls and review results of internal audits.

Vulnerabilities Identification: that can be exploited by threats to cause harm to assets or to the organization.

Consequences Identification: identification of damage or consequences to the organization that could be caused by an incident scenario. An incident scenario is the description of a threat exploiting a certain vulnerability or set of vulnerabilities in an information security incident. The impact of the incident scenarios is to be determined considering impact criteria defined during the context establishment activity.

Risk Estimation: is the phase for assigning values to the probability and consequences of an identified risk. It consists of the following activities:

Risk Estimation Methodologies: identification of Risk Analysis Methodology. It may be qualitative or quantitative, or a combination of these, depending on the circumstances. Qualitative estimation uses a scale of qualifying attributes to describe the magnitude of potential consequences (e.g. Low, Medium and High) and the likelihood that those consequences will occur. An advantage of qualitative estimation is its ease of understanding by all relevant personnel while a disadvantage is the dependence on subjective choice of the scale. Quantitative estimation uses a scale with numerical values (rather than the descriptive scales used in qualitative estimation) for consequences and likelihood, using data from a variety of sources. The quality of the analysis depends on the accuracy and completeness of the numerical values and the validity of the models used.

Assessment of Consequence: assess consequences or business impact upon the organization that might result from possible or actual information security incident (taking into account the consequences of a breach of information security such as loss of confidentiality, integrity or availability of the assets). Consequences may be expressed in terms of monetary, technical or human impact criteria, or other criteria relevant to the organization. In some cases, more than one numerical value is required to specify consequences for different times, places, groups or situations The business impact value can be expressed in qualitative and quantitative forms, but any method of assigning monetary value may generally provide more information for decision making and hence facilitate a more efficient decision making process.

Assessment of Incident Likelihood: assess likelihood of each incident scenario and impact occurring, using qualitative or quantitative estimation techniques. This should take account of how often the threats occur and how easily the vulnerabilities may be exploited.

Level of Risk Estimation: assign values (quantitative or qualitative) to the likelihood and the consequences of a risk. The estimated risk is a combination of the likelihood of an incident scenario and its consequences.

Risk Evaluation phase: the level of risk is compared against risk evaluation criteria and risk acceptance criteria (defined during the context establishment phase). Risk evaluation criteria used to make decisions should be consistent with the defined external and internal information security risk management context and take into account the objectives of the organization, the importance of the business process or activity supported by a particular asset or set of asset and stakeholder views etc.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
High value sites recent hacks
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro