CHAPTER 2:
INFORMATION SECURITY RISK MANAGEMENT
Organizations develop and implement risk management strategies in order to reduce the negative impact on the organization of risks occurring, and to provide a structured, consistent basis for making decisions around risk mitigation options. Risk management has two phases: risk assessment and risk treatment.
• Risk assessment is the process of identifying threats, and assessing the likelihood of those threats exploiting some vulnerability, and the potential impact of such an event occurring.
• Risk treatment is the process of responding to identified risks.
Risk assessment, also known as risk analysis, is the process by which risks are identified and assessed. The assessment process then stops. Any decisions and/or actions taken in light of the assessment are taken outside the assessment process, and are part of the risk treatment plan which, when implemented and taken together with the risk assessment process, is the other constituent of risk management.
Every organization faces numerous information related risks, and most will want to develop cost-effective methodologies for ensuring the confidentiality, integrity and availability of their organization’s information. ISO27001, the international information security management system standard, provides a specification for an ISMS that any organization can use to manage information security to achieve these objectives.
ISO27001 is very specific in defining the approach required to the design and implementation of an ISMS, and uses the well recognised Plan-Do-Check-Act model (P-D-C-A) to structure the tasks required to introduce an effective ISMS. The P-D-C-A cycle can be summarised as:
• Plan what you need to do to achieve the objective (which can include defining the objective);
• Do what you planned;
• Check that what you have done achieves what you had planned for it to achieve and identify any gaps or shortfalls; and
• Act on the findings of the plan phase to address the gaps.
Typically this last stage will involve making a Plan, Do-ing what that plan entails, Check-ing that the objectives were achieved and identifying any shortfalls and then Act-ing on the findings by Plan. Thus the introduction of an ISMS using P-D-C-A, effects the initial cycle of continuous improvement.
One common misunderstanding is that the initial planning stage is limited purely to planning the project. As far as ISO27001 is concerned the planning stage includes all the work required to determine what is required of the ISMS, and how this is to be achieved. The largest resource commitment required in this phase is the preparation for and undertaking of the risk assessment.5
5 For more on PDCA approach is available in ISO27001 Pocket Guide (Steve G Watkins, ITGP, 2007, www.itgovernance.co.uk/products/729).