Re: Risk Assessment questions

RV · ‎04-19-2021

Gentlepeople,

I'm reviewing a company's security program. They are (surprisely) ISO 27001 certified and their primary focus is the compliance part. Why I named surprisely; ISO 27001 is a management system focussing on risks to the information systems (this is my definition!). When I take a look at the risk assessment preferment, I found several questions which are business risks but not directly related to processing data. I'm wondering - I never involved with the details of ISO 27001 - if this should be the case. Thus, should you process questions like the loosing of a customer or illness rate of employees?

My perception is we should first have an inventory of asset classes (type of users, type of data sets, type of devices, type of networks, type of applications). Then we perform a risk assessment on what can happen to theses assets or which know weaknesses these assets contain. Based on the outcome we could assign controls (bases on the ISO 27001 approach, statement of applicability) and prioritise the controls to implement.

In addition - my personal added value - is to assign CIS20 to the controls, as they are more practical and gives a basic set of protection.

So, my questions:

- Could somebody confirm that questions not related to data processing / information systems should be part of the RA of an ISO 27001 program?

- is there a default set of general questions available to use, which can be easily adjusted to the specific company (at leas as a start).

Thanks

rslade · ‎04-19-2021

> RV (Viewer II) posted a new topic in Governance, Risk, Compliance on 04-19-2021

> So, my questions: - Could somebody confirm that questions
> not related to data processing / information systems should be part of the RA of
> an ISO 27001 program? - is there a default set of general questions available to
> use, which can be easily adjusted to the specific company (at leas as a start).

Well, you've not specified which of two fundamental questions you want answered.
These are:

1) Do you want to pass ISO 27000 certification?
or
2) Do you want to protect the enterprise?

The key to passing ISO 27000 (or pretty much any other security certification) is
to narrow the scope enough that you don't have any problems. So you want to
exclude everything you can.

Of course, if you want to actually protect the business, you want to *include*
everything you can ...

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

RV · ‎04-20-2021

thanks;

As this is a ISC2 platform I presumed we are all on the page of security instead of compliancy 🙂 Sorry for that.

The main reason for my question is, even outside the definition of the scope of ISO27k1. Business risks which have nothing to do with data processing, are - in my opinion - not relevant for a Risk Assessment of ISO27k1. So the first question is; am I correct to have these type of business risks like, lossing a client, employee illness rate, etc, not included in a ISO27k1 risk assessment?

The second question is; are there example questions to ask (think about) for such an assessment? Or is it that simple to brainstorm questions regards the asset classes inventory and "think" about what could happen with such an asset? Even then it could be useful if someone could provide me with a set of sample risks which could be used to provide examples to the stakeholders. Is there such a list?

tmekelburg1 · ‎04-20-2021

@RV wrote:

The second question is; are there example questions to ask (think about) for such an assessment? Or is it that simple to brainstorm questions regards the asset classes inventory and "think" about what could happen with such an asset? Even then it could be useful if someone could provide me with a set of sample risks which could be used to provide examples to the stakeholders. Is there such a list?

Check out the PDI Course that explains this concept in more detail: Conducting Practical Risk Analysis

What you're looking for are prompt lists that help provide a consistent methodology for identifying and grouping risks. For example, PESTLE, TECOP, and SPECTRUM are some acronyms that can be looked up for further detail on your part. I'm not really familiar with ISO because we're using NIST but ISO may have some documentation related to prompt lists.

I've also found asking questions related to the CIA triad and using the threat modeling technique STRIDE helpful. I'll also point our NIST SP 800-30r1 Table D-2 TAXONOMY OF THREAT SOURCES as a free resource as well.

joeadu · ‎04-20-2021

IMO, both security and compliance are important, because not being able to demonstrate compliance to a required framework could be bad for your business, just a being compliant to a framework without actually having sensible security measures, as you point out, could lead to major issues.
For your first follow-up question, I think that’s a call you’ll have to make for your business, depending on the scope of your ISMS and what else you have in place to capture business risks. I can certainly see a case for both being scoped under the ISO 27001 risk assessment, because it doesn’t just have to do with risks to data processing. They are more broadly risks to your business, so if your People/HR team believes that illness to employees posses a legitimate risk to your business, then that could get captured in the risk assessment. Similarly, losing a client could certainly get captured in the ISO 27001 risk assessment, especially if the factors that contribute to that risk are related to security and compliance (e.g. loss of client due to security incidents or due to a lack of a formal security program or ISO certification). I think it would depend on whether these risks are being addressed elsewhere by your business. This is the type of thing I would discuss with the ISMS steering committee during the required ISMS management meetings (which should typically happen no less than annually) - that committee would include other senior leaders of the company who aren’t involved in the operation of the ISMS, but who can provide essential business input to inform the structure and operation of the ISMS.

Regarding your second question, that would also depend on the nature of your business and industry. I recommend starting by identifying the predisposing conditions that may expose your business to specific security risks. Like, if you build web apps, then there’s a whole host of security risks, including from threat events related to CSRF, MITM; if you issue mobile devices or support byod, that’ll predispose you to threats, like physical theft, for example. NIST SP 800-30 might be helpful, as it outlines some common threat sources for conducting your risk assessment; check out Appendix D, if you haven’t seen it already. Also, OWASP can help identify some common risks to web applications, in particular, if that applies to your business. Those are two of the inputs I’ve used in the past to build an ISO 27001-certified risk management program. I hope this word salad is somewhat helpful, and good luck!