The CISO Perspective by Simon Butt

Author:Simon Butt
Language: eng
Format: epub
ISBN: 9781787784468
Publisher: ITG

One of the best descriptions of an organizationally appropriate risk assessment approach is in the International Standard, ISO/IEC 27001:2022 (Information security, cybersecurity and privacy protection – Information security management systems – Requirements).15

What does ISO/IEC 27001:2022 have to say about risk assessment?

ISO/IEC 27001:2022 (ISO 27001) is an internationally recognized information security standard that provides management and technical compliance requirements against which organizations and professionals can be certified. ISO 27001 guides organizations to establish, implement, maintain, and improve an ISMS that assures the confidentiality, integrity, availability, and privacy of information. ISO 27001 comprises two major sections: the management system requirements defined in paragraphs 4 through 10, and the security controls defined in Annex A of the Standard. While organizations have the right to select only the controls applicable to their operations from Annex A, excluding any of the requirements defined in paragraphs 4 through 10 is unacceptable if an organization claims compliance with ISO 27001.

To be compliant with ISO 27001, an organization must demonstrate the establishment and use of a risk assessment methodology that is suited to the business considering information security as well as legal and regulatory requirements. Clauses 6.1.2 and 6.1.3 of ISO 27001 define the necessary and critical elements of a risk assessment methodology.

The risk assessment approach must also define the criteria for accepting risks and identifying acceptable levels of risk. The Standard also provides the framework for conducting risk assessments, risk analysis, and risk treatment, leading to the selection of the proper security controls from Annex A.

The necessary steps within a risk assessment framework include the following:

1. Identifying the organization’s assets and the owners of the assets. This is all about knowing what you need to protect within the scope of the ISMS and who is responsible.

2. Calculating the impacts or AVs that a loss of confidentiality, integrity, and/or availability of the assets may have on the organization.

3. Identifying the threats and TL to the assets.

4. Identifying the vulnerabilities that are most likely paired with each threat to determine the VE.

5. A risk score can now be calculated for each asset and its threat and vulnerability pairs.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.