SlideShare una empresa de Scribd logo

ISO 27005 Risk Assessment

S
Smart Assessment

What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.

TecnologíaEmpresarialesEconomía y finanzas
1 de 25
Descargar para leer sin conexión
Risk Assessment as per ISO 27005 Presented by Dharshan Shanthamurthy, Risk Assessment Evangelist  WWW.SMART‐RA.COM SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
What is Risk Assessment? What is Risk Assessment? • NIST SP 800‐30 Risk Assessment is the analysis of threats in conjunction with  vulnerabilities and existing controls. l biliti d i ti t l • OCTAVE A Risk Assessment will provide information needed to make  risk management decisions regarding the degree of security  remediation.  remediation • ISO 27005  Risk Assessment = Identification, Estimation and  Risk Assessment Identification Estimation and Evaluation
Why Risk Assessment? Regulatory Compliance Compliance  Risk Assessment Requirement Standard St d d PCI DSS  Formal and structured risk assessment based on methodologies like ISO 27005,  Requirement  NIST SP 800‐30, OCTAVE, etc. 12.1.2  12 1 2 HIPAA Section  Conduct an accurate and thorough assessment of the potential risks and  164.308(a)(1)  vulnerabilities to the confidentiality, integrity, and availability of electronic  protected health information held by the covered entity. protected health information held by the covered entity FISMA 3544 Periodic testing and evaluation of the effectiveness of information security  policies, procedures, and practices, to be performed at least annually. ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and  4.1 organizational objectives. Risk assessments should also be performed  periodically to address changes in the security requirements and in the risk  situation. GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
Why Risk Assessment? y Business Rationale Function Explanation Return on  Structured RA Methodology follows a systematic and pre‐defined  Investment approach, minimizes the scope of human error, and emphasizes  process driven, rather than human driven activities. process driven rather than human driven activities Budget Allocation Assists in controls cost planning and justification Controls  Cost and effort optimization by optimizing controls selection and  implementation Efficient  Resource optimization by appropriate delegation of actions related to  utilization of  utilization of controls implementation. controls implementation resources
What is IS-RA? IS RA? Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses its vulnerabilities weaknesses, and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!” YOU
Reality Check Reality Check • ISRA– a need more than a want • Each organization has their own ISRA  Each organization has their own ISRA • ISRA learning curve • Cumbersome – 1000 assets, 20 worksheets • Two months efforts  Two months efforts • Complicated report
Exercise • Threat Scenarios • Threat Profiles to be filled. Threat Profiles to be filled.
Risk Assessment reference points • OCTAVE • NIST SP 800‐30 • ISO 27005 • COSO • Risk IT • ISO 31000 • AS/NZS 4360 • FRAP • FTA • MEHARI
ISO 27005 Introduction ISO 27005 Introduction • ISO 27005 i ISO 27005 is an Information Security Risk Management guideline. I f ti S it Ri k M t id li • Lays emphasis on the ISMS concept of ISO 27001: 2005. • Drafted and published by the International Organization for  Standardization (ISO) and the International Electrotechnical Standardization (ISO) and the International Electrotechnical Commission (IEC) • Provides a RA guideline and does not recommend any RA Provides a RA guideline and does not recommend any RA  methodologies. • Applicable to organizations of all types. f
ISO 27005 Workflow ISO 27005 Workflow • Advocates an iterative approach  pp to risk assessment • Aims at balancing time and Aims at balancing time and  effort with controls efficiency in  mitigating high risks • Proposes the Plan‐Do‐Check‐Act  cycle. Source: ISO 27005 Standard
ISO 27005 Risk Assessment ISO 27005 Risk Assessment Information Security Risk Assessment = Risk Analysis +  I f i S i Ri k A Ri k A l i Risk Evaluation Risk Analysis: Risk Analysis: Risk Analysis = Risk Identification + Risk Estimation 1. Risk Identification Risk characterized in terms of organizational conditions Risk characterized in terms of organizational conditions • Identification of Assets: Assets within the defined scope • Identification of Threats: Based on Incident Reviewing, Asset  Owners, Asset Users, External threats, etc.
ISO 27005 Risk Assessment Contd. ISO 27005 Risk Assessment Contd. • Identification of Existing Controls: Also check if the controls are working Identification of Existing Controls: Also check if the controls are working  correctly.  • Identification of Vulnerabilities: Vulnerabilities are shortlisted in  organizational processes, IT, personnel, etc. • Identification of Consequences: The impact of loss of CIA of assets. 2. Risk Estimation – Specifies the measure of risk. • Qualitative Estimation Qualitative Estimation • Quantitative Estimation Risk Evaluation: Risk Evaluation: • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk  Acceptance Criteria.
ISO 27005 RA Workflow Step 1 Step 2 Step 3 Step 4 General  General Risk Analysis:  Risk Analysis: Description of  Risk Analysis:  Risk  Risk Evaluation ISRA Risk Estimation Identification
Step 1 General  Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis Risk Description of  Identification Estimation Risk Evaluation ISRA 1. General Description of ISRA Identify, Describe  d f b Assessed risks  d ik Basic Criteria  (quantitatively or  prioritized according to  Scope and Boundaries qualitatively) and  Risk Evaluation  Organization for ISRM g Prioritize Risks P i iti Ri k Criteria. C it i
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries S d d i List of Assets. Asset owners Assets are defined List of associated Asset Location business processes. p Asset function A t f ti
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Threats Threat Information  Threat Information from  • Threats • Review of Incidents Threats are defined • Threat source • Asset Owners • Threat type yp • Asset Users, etc.
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Existing Controls • Existing and Existing and  • Documentation of  planned controls Existing and planned  controls • Implementation  controls are defined • RTP status • Usage status
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Vulnerabilities • Vulnerabilities related Vulnerabilities related  • Identified Assets d ifi d to assets, threats,  • Identified Threats Vulnerabilities are  controls. • Identified Existing  identified • Vulnerabilities not  Controls C t l related to any threat.
Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Consequences • Incident scenarios Incident scenarios  • Assets and business  db i with their  processes The impact of the loss  consequences related  • Threats and  of CIA is identified to assets and  vulnerabilities l biliti business processes
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low ( ) Q lit ti E ti ti Hi h M di L ( ) (b) Quantitative Estimation: $, hours, etc. 
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Assessment of consequences • Assets and business Assets and business  Assessed consequences  Assessed consequences The business impact  h b processes of an incident scenario  from information • Threats and  expressed in terms of  security incidents is  vulnerabilities p assets and impact  assessed. d • Incident scenarios criteria.
Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Level of Risk Estimation • Incident scenarios  with their  Level of risk is  l f k consequences  estimated for all  List of risks with value  • Their likelihood  relevant incident  levels assigned. (quantitative or  scenarios i qualitative).
Step 4 General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis: Risk Risk  Risk of ISRA Identification Estimation Evaluation 4.  Risk Analysis: Risk Estimation Level of Risk Estimation Risks prioritized  Risks prioritized Level of risk is  l f k • Risks with value levels  according to risk  compared against risk  assigned and risk  evaluation criteria in  evaluation criteria and  evaluation criteria.  relation to the incident  risk acceptance criteria ik t it i scenarios.
Summary • Keep it Simple and Systematic • Comprehensive • Risk sensitive culture in the organization. • Drive security from a risk management  p p perspective, rather only a compliance  , y p perspective. • H l RA t h l Help RA to help you…
Questions? Be a Risk Assessment Evangelist! Be a Risk Assessment Evangelist! IS‐RA Forum on Linkedin SMART‐RA Forum on Linkedin SMART RA Forum on Linkedin Dharshan Shanthamurthy, E‐mail: dharshan.shanthamurthy@sisa.in  y Phone: +91‐99451 22551

Recomendados

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 

Recomendados

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013Magda CHELLY, Ph.D, S-CISO, CISSP®
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 

Más contenido relacionado

La actualidad más candente

PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 

La actualidad más candente (20)

PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdf
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 

Destacado

Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
C-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedC-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedaryane
 
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain SecurityCustoms-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain SecurityLivingston International
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk AssessmentSteve Bishop
 

Destacado (6)

Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
C-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedC-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updated
 
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain SecurityCustoms-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
Customs-Trade Partnership Against Terrorism (C-TPAT): Supply Chain Security
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 

Similar a ISO 27005 Risk Assessment

Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Ahmed Al Enizi
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Smart Assessment
 
Risk management intruduction part 2
Risk management intruduction part 2Risk management intruduction part 2
Risk management intruduction part 2MEEQAT HOSPITAL
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming WorldDimitrios Stergiou
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Global Risk Forum GRFDavos
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadIvanti
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies
 

Similar a ISO 27005 Risk Assessment (20)

Erm
ErmErm
Erm
 
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
 
Risk management intruduction part 2
Risk management intruduction part 2Risk management intruduction part 2
Risk management intruduction part 2
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming World
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Erm public workshop
Erm public workshopErm public workshop
Erm public workshop
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone Mad
 
Rsc 05
Rsc 05Rsc 05
Rsc 05
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
 

Último

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Último (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

ISO 27005 Risk Assessment

  • 1. Risk Assessment as per ISO 27005 Presented by Dharshan Shanthamurthy, Risk Assessment Evangelist  WWW.SMART‐RA.COM SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
  • 2. What is Risk Assessment? What is Risk Assessment? • NIST SP 800‐30 Risk Assessment is the analysis of threats in conjunction with  vulnerabilities and existing controls. l biliti d i ti t l • OCTAVE A Risk Assessment will provide information needed to make  risk management decisions regarding the degree of security  remediation.  remediation • ISO 27005  Risk Assessment = Identification, Estimation and  Risk Assessment Identification Estimation and Evaluation
  • 3. Why Risk Assessment? Regulatory Compliance Compliance  Risk Assessment Requirement Standard St d d PCI DSS  Formal and structured risk assessment based on methodologies like ISO 27005,  Requirement  NIST SP 800‐30, OCTAVE, etc. 12.1.2  12 1 2 HIPAA Section  Conduct an accurate and thorough assessment of the potential risks and  164.308(a)(1)  vulnerabilities to the confidentiality, integrity, and availability of electronic  protected health information held by the covered entity. protected health information held by the covered entity FISMA 3544 Periodic testing and evaluation of the effectiveness of information security  policies, procedures, and practices, to be performed at least annually. ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and  4.1 organizational objectives. Risk assessments should also be performed  periodically to address changes in the security requirements and in the risk  situation. GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
  • 4. Why Risk Assessment? y Business Rationale Function Explanation Return on  Structured RA Methodology follows a systematic and pre‐defined  Investment approach, minimizes the scope of human error, and emphasizes  process driven, rather than human driven activities. process driven rather than human driven activities Budget Allocation Assists in controls cost planning and justification Controls  Cost and effort optimization by optimizing controls selection and  implementation Efficient  Resource optimization by appropriate delegation of actions related to  utilization of  utilization of controls implementation. controls implementation resources
  • 5. What is IS-RA? IS RA? Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses its vulnerabilities weaknesses, and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!” YOU
  • 6. Reality Check Reality Check • ISRA– a need more than a want • Each organization has their own ISRA  Each organization has their own ISRA • ISRA learning curve • Cumbersome – 1000 assets, 20 worksheets • Two months efforts  Two months efforts • Complicated report
  • 7. Exercise • Threat Scenarios • Threat Profiles to be filled. Threat Profiles to be filled.
  • 8. Risk Assessment reference points • OCTAVE • NIST SP 800‐30 • ISO 27005 • COSO • Risk IT • ISO 31000 • AS/NZS 4360 • FRAP • FTA • MEHARI
  • 9. ISO 27005 Introduction ISO 27005 Introduction • ISO 27005 i ISO 27005 is an Information Security Risk Management guideline. I f ti S it Ri k M t id li • Lays emphasis on the ISMS concept of ISO 27001: 2005. • Drafted and published by the International Organization for  Standardization (ISO) and the International Electrotechnical Standardization (ISO) and the International Electrotechnical Commission (IEC) • Provides a RA guideline and does not recommend any RA Provides a RA guideline and does not recommend any RA  methodologies. • Applicable to organizations of all types. f
  • 10. ISO 27005 Workflow ISO 27005 Workflow • Advocates an iterative approach  pp to risk assessment • Aims at balancing time and Aims at balancing time and  effort with controls efficiency in  mitigating high risks • Proposes the Plan‐Do‐Check‐Act  cycle. Source: ISO 27005 Standard
  • 11. ISO 27005 Risk Assessment ISO 27005 Risk Assessment Information Security Risk Assessment = Risk Analysis +  I f i S i Ri k A Ri k A l i Risk Evaluation Risk Analysis: Risk Analysis: Risk Analysis = Risk Identification + Risk Estimation 1. Risk Identification Risk characterized in terms of organizational conditions Risk characterized in terms of organizational conditions • Identification of Assets: Assets within the defined scope • Identification of Threats: Based on Incident Reviewing, Asset  Owners, Asset Users, External threats, etc.
  • 12. ISO 27005 Risk Assessment Contd. ISO 27005 Risk Assessment Contd. • Identification of Existing Controls: Also check if the controls are working Identification of Existing Controls: Also check if the controls are working  correctly.  • Identification of Vulnerabilities: Vulnerabilities are shortlisted in  organizational processes, IT, personnel, etc. • Identification of Consequences: The impact of loss of CIA of assets. 2. Risk Estimation – Specifies the measure of risk. • Qualitative Estimation Qualitative Estimation • Quantitative Estimation Risk Evaluation: Risk Evaluation: • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk  Acceptance Criteria.
  • 13. ISO 27005 RA Workflow Step 1 Step 2 Step 3 Step 4 General  General Risk Analysis:  Risk Analysis: Description of  Risk Analysis:  Risk  Risk Evaluation ISRA Risk Estimation Identification
  • 14. Step 1 General  Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis Risk Description of  Identification Estimation Risk Evaluation ISRA 1. General Description of ISRA Identify, Describe  d f b Assessed risks  d ik Basic Criteria  (quantitatively or  prioritized according to  Scope and Boundaries qualitatively) and  Risk Evaluation  Organization for ISRM g Prioritize Risks P i iti Ri k Criteria. C it i
  • 15. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries S d d i List of Assets. Asset owners Assets are defined List of associated Asset Location business processes. p Asset function A t f ti
  • 16. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Threats Threat Information  Threat Information from  • Threats • Review of Incidents Threats are defined • Threat source • Asset Owners • Threat type yp • Asset Users, etc.
  • 17. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Existing Controls • Existing and Existing and  • Documentation of  planned controls Existing and planned  controls • Implementation  controls are defined • RTP status • Usage status
  • 18. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Vulnerabilities • Vulnerabilities related Vulnerabilities related  • Identified Assets d ifi d to assets, threats,  • Identified Threats Vulnerabilities are  controls. • Identified Existing  identified • Vulnerabilities not  Controls C t l related to any threat.
  • 19. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification 2.  Risk Analysis: Risk Identification Identification of Consequences • Incident scenarios Incident scenarios  • Assets and business  db i with their  processes The impact of the loss  consequences related  • Threats and  of CIA is identified to assets and  vulnerabilities l biliti business processes
  • 20. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low ( ) Q lit ti E ti ti Hi h M di L ( ) (b) Quantitative Estimation: $, hours, etc. 
  • 21. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Assessment of consequences • Assets and business Assets and business  Assessed consequences  Assessed consequences The business impact  h b processes of an incident scenario  from information • Threats and  expressed in terms of  security incidents is  vulnerabilities p assets and impact  assessed. d • Incident scenarios criteria.
  • 22. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation 3.  Risk Analysis: Risk Estimation Level of Risk Estimation • Incident scenarios  with their  Level of risk is  l f k consequences  estimated for all  List of risks with value  • Their likelihood  relevant incident  levels assigned. (quantitative or  scenarios i qualitative).
  • 23. Step 4 General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis: Risk Risk  Risk of ISRA Identification Estimation Evaluation 4.  Risk Analysis: Risk Estimation Level of Risk Estimation Risks prioritized  Risks prioritized Level of risk is  l f k • Risks with value levels  according to risk  compared against risk  assigned and risk  evaluation criteria in  evaluation criteria and  evaluation criteria.  relation to the incident  risk acceptance criteria ik t it i scenarios.
  • 24. Summary • Keep it Simple and Systematic • Comprehensive • Risk sensitive culture in the organization. • Drive security from a risk management  p p perspective, rather only a compliance  , y p perspective. • H l RA t h l Help RA to help you…
  • 25. Questions? Be a Risk Assessment Evangelist! Be a Risk Assessment Evangelist! IS‐RA Forum on Linkedin SMART‐RA Forum on Linkedin SMART RA Forum on Linkedin Dharshan Shanthamurthy, E‐mail: dharshan.shanthamurthy@sisa.in  y Phone: +91‐99451 22551