Risk

At its essence, risk in information security refers to the potential for loss or damage when threats exploit vulnerabilities. However, this simple definition belies the complexity and nuance of risk management. To truly understand risk, one must grasp its three fundamental components:

  1. Threats: Any circumstance or event with the potential to cause harm to an information system. Threats can be intentional, such as a hacker attack, or accidental, like a natural disaster or a system malfunction.

  2. Vulnerabilities: Weaknesses in an information system that can be exploited by threats to gain unauthorized access or cause harm. These can range from software bugs and insecure system configurations to human factors like lack of awareness or negligence.

  3. Impact: The extent of damage or loss that can be expected if a threat successfully exploits a vulnerability. This can include financial losses, damage to an organization’s reputation, legal liabilities, and more.

Risk Management

Risk management is important in information security: Why?

Risk management is a commonly used phrase in business today, but without a consistent understanding of what it means and how to do it effectively, it can itself create risk. Information security risk management and cybersecurity risk management are derivatives of this broader concept. As these areas continue to grow in importance for organizations, it is important to demystify them and understand how to approach them at a practical and actionable level.

In particular, this article will focus on how to do risk management for the ISO 27001 standard and achieving compliance with the risk-focused aspects of the General Data Protection Regulation (EU GDPR). ISO 27001 is an international standard that provides a framework for managing information security risks, and achieving compliance with it can demonstrate an organization's commitment to protecting sensitive information. Similarly, the EU GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data and to demonstrate compliance with those measures. By understanding the risk management requirements of these standards and implementing them effectively, organizations can better protect sensitive information and avoid potential penalties for non-compliance.

What is information security risk management?

Unsurprisingly, risk management means different things to different people. To understand it better, it is important to go back to the basics of risk management and build from there.

ISO 31000:2018 is a recently updated version of the International Standards Organisation (ISO) standard for risk management. It defines risk as "the effect of uncertainty on objectives." Therefore, risk management is about decision-making and taking actions to address uncertain outcomes and controlling how risks might impact the achievement of business goals.

The standard provides a framework for organizations to identify, assess, and prioritize risks and to implement measures to mitigate or manage those risks. It also includes the governance, communication and review of the risk management process. This helps organizations to make informed decisions, allocate resources effectively and improve their overall performance.

Risk management is an ongoing process that helps organizations to identify and manage potential threats, opportunities, and uncertainties that could impact their operations and objectives. By understanding and managing risks, organizations can improve their ability to achieve their goals and to operate more efficiently and effectively.

Why risk management is important in information security

Information security risk management (ISRM) is the process of identifying, evaluating, and treating risks to an organization's valuable information. It addresses uncertainties around those assets to ensure the desired business outcomes are achieved.

There are different ways to manage risk and not all risks are bad, as they can also create opportunities. However, most of the time, the focus is on managing threats. It is important to note that one size does not fit all and different organizations may have different risk management approaches.

ISRM typically involves identifying potential risks to the organization's information assets, assessing the likelihood and impact of those risks, and implementing measures to mitigate or manage them. This process helps organizations to ensure the confidentiality, integrity, and availability of their information assets, and to meet compliance and regulatory requirements.

It is an ongoing process that requires regular review and updates to ensure that risks are identified and treated in a timely manner. By implementing effective ISRM practices, organizations can improve their ability to protect their information assets and achieve their business objectives.

Why ‘joined up’ risk management is important

Risk management in organizations can be challenging, as it involves many people with different perspectives, biases, and risk appetites. Each person may have their own way of approaching risk management and may have implicitly overlaid their own methodology and tools. For example, many people may have created their own risk registers as part of a work project, using a document or spreadsheet and incorporating their own process for evaluation and actions.

However, when it comes to meeting regulations like GDPR and standards like ISO 27001 for information security management, there are specific requirements that need to be met. These standards provide a framework for managing information security risks and achieving compliance, and organizations need to ensure that they understand and implement these requirements effectively.

For example, GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data and to demonstrate compliance with those measures. ISO 27001 provides a framework for managing information security risks, and achieving compliance with it can demonstrate an organization's commitment to protecting sensitive information.

The goal of risk management in these contexts is not only to meet regulatory and compliance requirements, but also to ensure that the organization's valuable information is protected and that desired business outcomes are achieved. By understanding and implementing these standards effectively, organizations can improve their ability to protect their information assets and achieve their business objectives.

These include:

  • Alignment of risk management actions with business objectives

  • A consistent and repeatable methodology to ‘show your working’ and ensure it can be applied in line with the standards and regulations (which we’ll cover more of shortly)

Doing risk management well can help an organization run a better business by addressing uncertainties and making informed decisions. It can also act as an insurance mechanism, in the event of a data breach or other negative incident.

When it comes to cybersecurity and information security, a joined-up risk management approach that takes into account business objectives is crucial. This is important not just for these specific types of risk, but for all types of risk, such as quality, environmental, health, and cyber. By taking a holistic approach to risk management, organizations can ensure that they are effectively identifying, assessing and mitigating risks that could impact their operations and objectives.

Looking deeper at the risk management methodology and approach for ISO 27001 and Europe's General Data Protection Regulation (GDPR) specifically, organizations need to understand these standards and implement them effectively. ISO 27001 provides a framework for managing information security risks, and GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data and to demonstrate compliance with those measures. By understanding and implementing these standards, organizations can improve their ability to protect their information assets and achieve their business objectives and avoiding penalties for non-compliance.

Cyber Security VS Information Security?

Cybersecurity is a relatively new concept that has gained importance in recent years, particularly with the increasing digitization and electronic dependency of the world. The consequences of poor cybersecurity have grown exponentially and have become a significant concern for organizations. Serious Organized Crime Groups (OCGs) are now exploiting vulnerabilities in cyber defenses, making it even more critical for organizations to have robust cybersecurity measures in place.

The General Data Protection Regulation (GDPR) has also raised the bar for organizations to improve their cybersecurity infrastructure. The GDPR has the ability to impose significant fines for personal data breaches, which is an added incentive for organizations to take cybersecurity seriously.

Overall, cybersecurity has become an essential aspect of managing any organization, and it is critical to understand the risks, consequences and importance of having a robust cybersecurity strategy in place. This can help organizations to mitigate risks, protect their valuable data and avoid costly penalties.

Cybersecurity and information security are commonly considered to be the same thing, but they have distinct differences. Cybersecurity is more typically about the protection of information held electronically, and it is a subset of the broader information security posture. Information security covers a wider range of concerns, it not only deals with the protection of electronic information but also includes physical security, such as locks on doors, and people-based security, such as ensuring that key personnel within an organization are protected and that sensitive information is not lost when they leave or are unavailable.

Information security also encompasses data protection, incident management, disaster recovery, and business continuity planning. It is a holistic approach that looks at the protection of information from all angles, including the protection of sensitive data, the management of incidents, the recovery of data after a disaster, and the continuity of business operations.

Overall, while cybersecurity is an essential aspect of information security, information security is a more comprehensive concept that encompasses a wide range of concerns related to protecting information assets in various forms and from various threats.

In ISO 27000, information security is defined as: “The preservation of confidentiality, integrity, and availability of information.” Implicitly this includes cyber. International Standards like ISO 27001 and GDPR also expect you to consider information security in its more holistic sense.

Cyber Essentials is a UK government-backed scheme that focuses on the high-risk control areas that can help prevent cyber-based losses. It is designed to provide a foundation for smaller businesses that are reliant on digital services. It is complementary to other standards such as ISO 27001 and GDPR, and it is a good starting point for organizations to build their cybersecurity defenses.

While cybersecurity is often associated with external threats, it is important to remember that cyber problems can also occur internally. Access control and physical protection should be in place to manage both internal and external threats.

It is important to note that IT security and information security are not synonymous. IT security is a subset of information security and should be considered as part of a more strategic and holistic approach to protecting information assets.

One of the dangers of only thinking about cybersecurity risk management is that it can be left to the IT department alone. However, it is important to remember that cybersecurity is a business-wide concern and should be managed by a team with representation from various departments and functions within the organization.

It is important to have a business-led, joined-up approach to information security risk management to ensure the right solutions are put in place. This approach ensures that staff and supply chain embrace the policies and controls, and that there are no conflicting hoops to jump through.

It is crucial to clarify the role and scope of the IT team and to be clear about how integrated they are with the business objectives. This applies to other departments as well, regardless of the sign above the door. The goal is to do business securely, which makes it everyone's responsibility. Clear leadership and accountability are needed to have a chance of achieving an ISO 27001 certification.

ISO 27001 is a great framework for organizations to follow a structured approach to information security management. It helps organizations work through their purpose, issues, interested parties, scope, and information at risk. Through this process, organizations can identify who should be involved in information security management. It is important to note that it is not just the IT team that should be involved and that it covers more than just cyber security.

Overall, information security risk management is a business-wide concern that requires the involvement of multiple departments and functions within an organization, and it should be aligned with the organization's overall objectives.

Risk management methodology

Article 32 of the EU General Data Protection Regulation (GDPR) requires organizations to conduct risk assessments using the Confidentiality, Integrity, and Availability (CIA) framework. This framework is also a requirement of the ISO 27001 standard for information security management. Using the CIA approach for all information assets, not just personal data, ensures a consistent and comprehensive approach to information security risk management. By aligning the risk management process with both GDPR and ISO 27001, organizations can ensure compliance with both regulations and standards while also effectively managing their information security risks. This approach not only helps organizations to meet their regulatory obligations, but also improve overall information security posture.

  1. Confidentiality: information is not made available or disclosed to unauthorised individuals, entities or processes

  2. Integrity: safeguarding the accuracy and completeness of information assets

  3. Availability: being accessible and usable upon demand by an authorised entity

When developing a methodology for information security risk management, it's important to consider the conflicts and priorities that may arise when addressing risks related to Confidentiality, Integrity, and Availability (CIA) of information. For example, in the event of a data breach, an organization may be faced with a conflict between maintaining the confidentiality of the data and keeping services online, which is an availability issue.

In order to effectively manage these conflicts and priorities, organizations should have a clear and documented process in place. This process should include the following key elements:

What are the 5 steps in a risk management process?

Let’s assume your goal is to obtain ISO 27001 certification, whilst complying with GDPR. We’ll craft our information security risk methodology with that in mind.

  • Risk identification

Identifying potential threats and vulnerabilities that could impact the CIA of information. The source of the risk may be from an information asset, related to an internal/external issue (e.g. associated to a process, the business plan etc) or an interested party/stakeholder related risk.

  • Risk analysis

Once you know the risks, you need to consider the likelihood and impact (LI) to allow you to distinguish between (say) low likelihood and low impact, versus higher ones.

  • Risk evaluation.

Once you have assessed the risks, it is important to prioritize investments where they are needed the most. This can be done by utilizing a risk management tool, such as the 5x5 grid system offered by ISMS.online. This system allows for easy identification of potential risks and their potential impact on the business. The grid includes a likelihood range from very low to very high, with corresponding explanations for each level. For example, a very low likelihood indicates that there is no history of occurrence and that it would require specialized skills and high investment to occur. The impact criteria range from very low, with insignificant consequences and costs, to very high, which could lead to the potential failure of the business. By clearly documenting the meaning of each position on the grid, it ensures that the method can be applied consistently by anyone who uses it. Additionally, the tool also includes a risk bank with popular risks and corresponding treatments, saving a significant amount of time.

  • Risk treatment

The process of addressing risk, also referred to as "risk response planning," must be supported by evidence. Risk treatment can take various forms, including internal measures to control and tolerate the risk, transferring the risk to a third party, or completely eliminating the risk.

The ISO 27001 standard provides a set of control objectives outlined in Annex A to guide risk treatment and serve as the foundation for the Statement of Applicability. Additionally, these controls offer an opportunity to identify potential risks that may have been previously overlooked.

  • Monitor and review the risk

Monitoring and reviewing risk is an essential part of the risk management process. It involves creating processes for monitoring and review, including:

Staff engagement and awareness

Involving appropriate staff in the process regularly and providing a forum for feedback.

Management reviews

Incorporating risk reviews as a standard part of management meetings, with risk owners present at this level and operational responsibilities delegated to the front line.

Improvement

Utilizing internal audits and other mechanisms in Clause 10 to continuously improve the risk management process.

Risk ownership

Assigning an owner for each risk, potentially delegating ownership to the front line according to the "3 lines of defense" model.

Review frequency

Conducting management reviews at least annually, with more frequent reviews for higher likelihood and higher impact risks.

Risk management requirements of ISO 27001:2013/17

(https://www.isms.online/iso-27001/information-security-risk-management-explained/)

There are 2 main requirements where risk management is expressed: Clause 6 Planning and Clause 8 Operation.

Clause 8 is simply about implementing and operating what you have described for 6.1 so let’s concentrate on 6.1 here knowing that you have to live and breathe it in practice (8) to have a chance of running the business well and obtaining certification.

Clause 6.1: Actions to address risks and opportunities

Let’s also remember that this process needs to be business objectives led (i.e. establish context above) so you need to show the information security management system can:

  • achieve the intended outcomes

  • prevent, or reduce the undesired effects

  • achieve continual improvement

When implementing ISO requirements, it is best to begin with a top-down approach. This approach involves considering the overall context and purpose of your organization, as well as the specific challenges it faces. This includes assessing interested parties, determining the scope of the project, and identifying important information assets. This approach is illustrated in the image provided in the ISO 27001 Virtual Coach program within ISMS.online and is considered the most logical method to take.

The organisation has to plan how to address the risks threats and opportunities. ISO 27001 is also very interested in:

  1. How the risks integrate into the wider information security management system

  2. How actions are taken, and evaluating the effectiveness of the actions taken on the way

In addition to the top-down approach, ISO 27001 also requires a thorough documentation of risk acceptance criteria for performing risk assessments. This ensures that the results of the assessments are consistent, valid, and comparable, and that they effectively address the confidentiality, integrity, and availability of the information assets within scope.

An external auditor will expect to see a methodology that clearly explains these processes, and will have increased confidence in the overall efficiency and effectiveness of the ISMS. When information assets are linked to risks, and risks are linked to the policies and controls implemented to address them, the ISMS operates in a seamless and cohesive manner.

The Role of GRC in Managing Risk

Governance, Risk Management, and Compliance (GRC) frameworks provide a structured approach to managing risk in alignment with an organization's overall governance strategy and compliance obligations. GRC emphasizes the integration of risk management practices into all aspects of an organization's operations, ensuring that:

  • Governance processes effectively oversee the organization's information security strategies and policies.

  • Risk Management practices are proactive and integrated, supporting informed decision-making and strategic planning.

  • Compliance with relevant laws, regulations, and standards is maintained, mitigating legal and financial risks.

Last updated