ISO 27000 family standards – What do they regulate and why are they so important for information security?

All actions taken by the organization should be Planned. Goals and the planned way of achieving them require definition. Next, we Do (execute) the activities needed for success according to the plan. In the Check phase, we verify whether the “Do” phase reflects the provisions of the “Plan” phase. The Act phase serves to correct imperfections.

Processes planned on a foundation of risk analysis

Planning itself in the field of information security management is strictly based on risk management. The whole idea of risk is the key – the foundation upon which all processes are built.

If a specific goal exists, there is also a risk that it might not be achieved. It is necessary to identify what could go wrong and then plan how to prevent it. At this stage, it is essential to define risk acceptance criteria and identify those risks we will accept versus those that must be, for example, reduced. The evaluation criteria should be repeatable and applied in subsequent risk assessment cycles.

How to ensure this?

We determine the methodology by defining what we will do, who will perform it, how often, and based on what criteria. The ISO/IEC 27001 standard does not impose a specific methodology; however, it requires that the entire risk assessment process, from start to finish, be documented, just like the entire risk management process – from the planning stage to effectiveness evaluation and continuous improvement.

In the ISO/IEC 27001 standard, we find information that the risk assessment process consists of:

• Risk identification;
• Risk analysis;
• Risk evaluation.

Risk assessment according to ISO standards

In the context of risk assessment, it is worth mentioning the ISO 27005 standard. While it does not focus directly on methodology, it describes the approach to risk management in the area of information security.

It contains a series of tips regarding the risk assessment process, which may seem simple, but for people without experience, the ISO 27005 standard provides very valuable assistance. On the other hand, the principles and guidelines regarding risk assessment methodology are described in the ISO 31000 standard – Risk management –  Principles and guidelines. There are many methodologies. In organizations, for the purpose of risk analysis, one most often encounters systems such as Risk Score, FMEA, or 5S.

After planning and selecting a methodology, we proceed to identify risks in information security. How we identify them is not as important from the standard’s point of view as ensuring we focus on quality over quantity. This means identifying the actual risks that need attention. Next, we analyze what their effects might be on the organization and its stated goals. We prioritize them and plan work on subsequent areas.

We must accept the fact that even when building a multi-layered network of safeguards, we are unable to eliminate risk 100%. We can minimize it, transfer it to another entity, or accept and monitor it.

When conducting a risk analysis, we must remember that it is not a one-time activity performed solely for the purpose of, for example, obtaining a certificate. It is a continuous and dynamic process that should be regularly updated and reviewed to account for new threats, changes made within the organization, and those occurring in the business environment.

Failure Mode and Effect Analysis (FMEA) in information security

The standards do not specify a specific timeframe for the regularity of risk analysis, nor do they impose a methodology for conducting it. One should choose a methodology that provides real value and is tailored to the organization’s specifics. One of the frequently chosen methods is Failure Mode and Effect Analysis (FMEA). This method was originally used to identify potential problems in spacecraft designs. Its success within NASA contributed to its expansion into other industrial fields.

FMEA is based on a precise analysis of potential faults while considering the associated risk. Its goal is the systematic detection and elimination of potential process defects.

During risk assessment in the context of information security, this method relies on three key criteria rated on a scale of 1 to 10:

• Degree of detectability – for example, if we have tools such as DLP or UTM, we significantly increase the chance of detecting a risk before it materializes.

• Probability of loss of integrity, availability, and confidentiality of information – for example, the likelihood of an employee’s laptop being lost due to theft.

• Effects of losing any aspect of information security (confidentiality, integrity, availability) – in other words, the consequence of a risk materializing, such as the theft of an employee’s workstation.

Within specified point limits, it is important to draw up a risk management plan, including actions, an implementation schedule, responsible persons, and a risk assessment related to the effectiveness of the steps taken.

When proceeding with risk analysis:

1. Identify all assets. In the aspect of information security, we must look at this very broadly and consider intangible assets. These include employees, their knowledge, experience, customer databases, supplier databases, and know-how—information whose loss or leakage could have very negative consequences.
2. Assess the importance of these assets to the organization. (Example: know-how or customer data is more important to us than marketing materials, which are often shared with a wide audience anyway.)

3. Assign an owner to each asset.

4. Identify the existing safeguards in that area.

5. Identify potential threats for each asset.

According to the adopted methodology, obtain a score during risk estimation to be able to prioritaze risks assign them to previously chosen criteria.

The simplest to execute and simultaneously the least expensive method is the development of procedures, policies, and instructions, which we familiarize our employees and individuals who must be aware of them with.

Correctly executed, implemented, and maintained documents help employees act in a specific, secure manner. This allows for the avoidance of simple human errors that could impact the confidentiality, integrity, and availability of data – which is the goal of an ISMS according to ISO/IEC 27001.