CHAPTER 5: RISK ASSESSMENT SOFTWARE

There are software tools that have been designed to assist in risk assessment and, although their use is not mandatory in the standard, it is practically impossible to carry out and maintain a useful risk assessment for an organisation that has more than about four workstations without using such a tool. It is essential that the risk assessment be completed methodically, systematically and comprehensively. An appropriate software tool, designed with ISO27001 in mind and kept up to date in terms of changing information security issues, can be effective in this process.

This is because the risk assessment is a complex and data-rich process. For an organisation of any size, the only practical way to carry it out is to create a database that contains details of all the assets within the scope of the ISMS, and then to link, to each asset, the details of its (multiple) threats and (multiple) vulnerabilities, and their likelihood and resulting impacts, together with details of the asset ownership and its confidentiality classification.

The risk assessment process is made enormously simpler if one can also use ready-made databases of threats and vulnerabilities. The database should also contain details of the control decisions made as a result of the risk assessment, so that, at a glance, it is easy to see what controls are in place for each asset within the ISMS.

This database must be updated in the light of new risk assessments, which should take place whenever there are changes to the assets or to any aspect of the risk environment. The number of software tools available for this purpose is increasing. To one extent or another they automate the risk assessment process and generate the Statement of Applicability. In theory, such a tool ought to encourage the user to perform a thorough and comprehensive security audit on the organisation’s information systems, and ought not to produce too much paperwork as a result. Tool availability is likely to change as the standard is more widely taken up and any organisation interested in pursuing this route should, therefore, do up-to-date research on what is available before making a shortlist.

The organisation may need to compare tools before making a selection and should concentrate, in the comparison process, on the extent to which the tool really does easily and effectively automate the risk assessment and Statement of Applicability development process, the amount of additional paperwork it generates, the flexibility it offers for dealing with changing circumstances and frequent, smaller scale risk assessments, and the meaningfulness of the results it generates.

Tracking changes to the risk assessment process over time is also of importance, and often the ‘future-proofing’ aspect of requirements of the tool are overlooked during the initial purchase because of the focus on achieving certification, or at least the implementation of an ISO27001-compliant ISMS. Of course, normal due diligence analyses should also be undertaken into the status of the supplier and manufacturer of the product to ensure that it is properly supported and likely to continue to be.

Risk assessments can be done without using such tools, although it can be difficult to demonstrate that the risk assessment produces comparable and reproducible results without using such a tool. A proper risk assessment in any business will be very time consuming, whether or not a software tool is used. ‘Time consuming’ means one or more months of dedicated work and, for larger organisations, even longer. The use of a software tool will depend on the culture of the organisation and the preferences of the information security adviser and manager.

Practically speaking, once the organisation has decided to purchase such a tool, it becomes dependent on that tool and on the staff members who are trained to use it. In considering the appropriate route forward, consideration should be given to the likelihood of being able to recruit staff who have broad risk assessment experience and can adapt to the organisation’s environment as against the likelihood of recruiting and retaining staff who have specific experience with one risk assessment tool, if that tool requires particular specialist knowledge.

If the organisation decides to purchase such a tool, the ISMS project steering group should document the reasons for its choice and selection. Whoever is to use it will, of course, have to be fully competent in its use. Evidence of any training and of the level of proficiency achieved should be retained on the personnel file of the person trained in its use.

It is essential to appreciate that risk assessment tools are a specific type of tool, different from other tools, such as gap analysis tools, vulnerability assessment tools or penetration testing, each of which is briefly described before we provide guidance on current risk assessment tools.

Gap analysis tools

It is important to understand the difference between a gap analysis and an ISO27001-compliant risk assessment. A risk assessment is individual asset-based; a gap analysis assesses the gap between the requirements of a standard or other set of requirements (such as a risk treatment plan or Statement of Applicability) and the controls that are actually in place. Such gap analysis tools almost invariably analyse the gap between the controls in place in an organisation and the complete set of those required by the standard. While this exercise can be interesting, it is not deeply useful.

This is because, where ISO27001 is concerned, not all organisations are likely to need to implement all the controls identified in the standard; an analysis of the gap between the requirements of the standard and the current implementation status is not, therefore, particularly useful in the creation of an ISO27001-compliant ISMS. In our analysis, where something identified by the vendor as a ‘risk assessment tool’ is patently only a gap analysis tool, we have clearly identified it as such. There is no point in attempting to use such a tool to carry out the risk assessment component of the ISMS project, because it simply doesn’t meet the requirements of the standard.

Vulnerability assessment tools

Vulnerability assessment tools,²⁸ also called security scanning tools, are also not risk assessment tools as defined by the standard. They may well be used as part of the risk assessment process, in order to identify vulnerabilities. They do have a role to play in many information security management systems, and that role is determined by the risk treatment plan which arises from the risk assessment. Vulnerability assessment tools assess the security of network or host systems and report system vulnerabilities. These tools are designed to scan networks, servers, firewalls, routers and software applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities, such as settings contrary to established security policies.

In evaluating a vulnerability assessment tool, consider how frequently it is updated to include the detection of new weaknesses, security flaws and bugs, and whether or not it refers to common lists of flaws and vulnerabilities, such as the SANS Top Cyber Security Risks, CVE and Bugtraq.²⁹ Vulnerability assessment tools are not usually run in real-time, but are commonly run on a periodic basis. The tools can generate both technical and management reports, including text, charts and graphs. Vulnerability assessment reports can identify what weaknesses exist and how to fix them.

Penetration testing

Penetration testing (or pentesting) is also not a risk assessment. A penetration analysis is a snapshot of the organisation’s security at a specific point in time. It can test the effectiveness of security controls and preparedness measures. Whilst a vulnerability assessment is usually an automated process, using a vulnerability assessment tool, penetration testing usually involves a team of (external) experts who test and identify an information system’s vulnerability to attack. They may attempt to bypass security controls by exploiting identified vulnerabilities including, for instance, social engineering, denial of service attacks and other methods. The objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.

Pentesting does, therefore, have a role to play in the ISO27001 risk assessment; it has an even more substantial role to play after the assessment, to test the effectiveness of defences that have been installed and to ensure that technical controls are performing as they are expected to.

Risk assessment tools

Not all of those tools that currently claim to be ISO27001 risk assessment tools are necessarily so, and those that are may in any case not meet your requirements. Different tools target different organisational profiles and are sold under various licence arrangements. Aspects that should be considered in determining the most suitable tool for any one project should include:

We have identified the following software tools, each of which claims (to one extent or another) to be an information security risk assessment tool:

OAT (the OCTAVE Automated Tool) for users of OCTAVE is designed to respond exclusively to the US NIST SP 800-26³⁰ standard and has, therefore, not been considered in this book.

Risk assessment tool descriptions³¹

Callio’s tool, Callio Secura, is a team-oriented tool that has been built around ISO17799:2000 and BS7799-2:2002. It is web-based, which brings with it specific risks that it has not apparently been optimised to control. It contains sample policies, a document manager, an employee awareness centre, a very limited risk assessment tool and a more comprehensive gap analysis tool. It does not perform a risk assessment as required by the standard. More importantly, it appears not to have been updated for ISO27001 and it still contains the control structure of ISO17799:2000, which was withdrawn in 2005. It does not look as though it would be even vaguely useful for organisations seeking certification to the current standard.

Cobra (release 3) is a gap analysis tool (it claims to do an ISO17799 compliance check), not a risk assessment tool, and it appears not to support either risk management or the establishment of the ISMS; at US$895 it’s an expensive gap analysis tool.

CRAMM is the oldest risk assessment tool. Version 5 is the current version. It is the preferred tool of the UK government and is recommended by them for use in the public sector. It is widely available through Insight Consulting in the UK and its agents in other countries. It has two modules (CRAMM Express and CRAMM Expert). It provides:

The reports CRAMM runs cannot be altered, but there are many pre-defined reports, including:

In support of ISO27001 it also offers reports for:

CRAMM appears to meet the key requirements that were set out earlier in this chapter. The customisability of its reports and interfaces is, however, a bit limited. There are two versions available: ‘Express’ (£1,500 plus £250 annual licence) and ‘Expert’ (£2,950 plus £875 annual licence). Siemens can deploy its consultancy expertise to help customise the Expert version and it recommends that anyone who will be using the tool should undergo their three-day (£1,195) non-residential training programme. It is not, in other words, necessarily as easy to use as they would like it to be. It is, though, the sort of tool that no ISO27001 auditor will object to.

Ezrisk is a risk assessment tool, but is not ISO27001:2005 compliant and its ISO module appears to be more of a gap analysis tool than a risk assessment one.

ISRAC is available in business and enterprise versions and works with ISO17799, not ISO27001. However, it carries out risk assessments at the business process level, not the asset level, and it, therefore, fails the first requirement of an ISO27001-compliant risk assessment tool. The fact that it treats physical security as an area different from information security (and, therefore, offers a second module for assessing physical security risks) indicates a fundamental non-conformance to an essential point of the standard, which is that all information, both digital and analogue, has to be protected and that physical controls are as important as logical ones.

Proteus appears to be mainly an ISO27001 compliance gap analysis tool. There are various versions available. It does not appear to contain an ISO27001 risk management function. Costs vary from approximately £600 plus licence fee/arrangements upwards.

PTA is a risk assessment tool, but was originally designed for use in system specification and does not appear to be ISO27001 compatible in any way. Anyone who wished to use it for an ISO27001 deployment would probably have to invest an uneconomic level of time in customising this product.

RiskWatch meets many of the requirements identified earlier in this chapter. It has an effective, comprehensive risk assessment methodology and can assess risk both quantitatively and qualitatively. While it was not built specifically for ISO27001 work, or the establishment and management of an ISMS, it claims that it can apply both ISO27002 and NIST SP 800-26³² controls and can be either PC or server-based. While it appears to be a first-class tool, it is also by far the most expensive. A single user licence costs US$14,500. It is probably best suited to larger organisations that require a more sophisticated and granular approach to risk quantification, and to organisations with a US exposure (or that are based in North America), because NIST SP 800-26 compliance is not a requirement outside the US. It is also useful to risk consultants whose offering includes sophisticated, detailed risk assessments at this level.

RSAM is a comprehensive, scalable, multi-standard, multi-user, client-server gap analysis tool. It doesn’t follow ISO27001 methodology and it doesn’t produce a Statement of Applicability. It’s not likely to help with an ISMS project.

RA2 was developed by two consultants who were deeply involved in both the 2005 revision to ISO27002 and the development of ISO27001. Their risk assessment tool is absolutely in line with the process required by the standard and it can be purchased online. The risk assessment methodology is qualitative and is also in line with the standard. While it is effective for an organisation’s initial risk assessment, it is not as obviously capable of comparing assessments and control recommendations made at different times, nor does it easily allow uploading of individual asset details. These two characteristics mean that it is best suited to small to medium organisations, carrying out their first risk assessment as part of their initial ISMS project. It is not self-explanatory to use, but there is no requirement for offsite user training. At £1,100 for a single user licence, it is about half the price of the Expert version of CRAMM. There is no enterprise version.

vsRisk™ This tool has been designed specifically for ISO27001 risk assessments, but also supports ISO27002. Uniquely, it is also in line with the guidelines of BS7799-3 and ISO27005, and both NIST SP 800-26 and SP 800-30. It is also in line with the requirements of the ISF³³ Security Standard 2005 and the Risk Management Standard, developed jointly by the UK’s major risk management organisations.³⁴ It was developed by a specialist risk management software company³⁵ to a project brief prepared by the authors of this book, and worldwide marketing rights are held by Vigilant Software™ Ltd. The features of vsRisk™ include:

It has been designed with the aim of supporting an ISO27001-compliant risk assessment beyond the first implementation PDCA cycle and has a clear user interface. It does the ISO27001 risk assessment job correctly, easily and efficiently.

Conclusions

CRAMM, with its pedigree, is the cautious choice, but is not the easiest or most user-friendly of risk assessment tools. RiskWatch might be the sophisticate’s choice, but the return on investment ratio needs to be carefully calculated, and ISO27001 compliance is not in-built.

RA2 is a tool that complies with ISO27001, and at a reasonable price.

Our view, however, is that, for most organisations, and for consultants providing ISMS services to most organisations, the most appropriate tool – in terms of functionality, ease of use and value for money – is the one that is completely in line with the requirements of ISO27001, as well as all other national and international standards on information security risk assessment, and that is vsRisk™.