Risk management is a process that involves people and, while many of the people involved in this process will already have specific responsibilities inside the organisation, it is important to identify precisely the contribution they are expected to make to the risk management process.
ISO27005 recommends (clause 7.4) that ‘the organization and responsibilities for the information security risk management process should be set up and maintained’ and, in a footnote, comments that the creation of an organisation capable of carrying out a risk assessment could be regarded as ‘one of the resources required by ISO/IEC 27001.’
Without senior level management commitment it is unlikely an ISO27001 project would get as far as a risk assessment, but if it did, it certainly would not get much further.
In our experience, the risk assessment stage of the project is one of the most testing. The sheer amount of time and effort required to undertake a risk assessment that is sufficiently detailed to meet the requirements of ISO27001 is always underestimated at the start of the project, and this is when the drive and clout of senior management commitment is essential. That is, of course, assuming the senior managers understood what they were committing to in the first place!
One of the first things the project team should stage, in any ISMS project, is a board briefing which ensures that the senior managers who are signing up to the project, and committing the resources and effort to achieve the objective of certification (or at least an ISO27001-conforming ISMS), do so from an adequately informed position.
Of course, this means that they need to be aware of the costs and amount of work required, but also the benefits that follow, including the indirect benefits of, for example, identifying and protecting specific information assets and of changing and improving the mindset of those managers responsible for them. In some organisations just producing an information asset register is a major undertaking and can warrant a considerable project in its own right, delivering benefits when the invoices and ‘Friday cake club’ schedule are suitably segregated and asset ‘owners’ identified.
As this book explains, the risk assessment process will involve a number of staff for a considerable amount of time. When done correctly, management and senior staff will be involved and their time will suddenly become all the more precious. When senior management make an adequately informed commitment to the project, sufficient encouragement and resources should be made available for the project to progress to plan and to time.
Another benefit and product of senior management commitment should be the assignment of a dedicated resource for coordinating risk management policies and tasks. Assigning a central risk management coordination resource (which we discuss further, below) is a critical success factor. The intention is that this central focal point carries out coordination activities, acts as a route for risk issues to be brought to the attention of senior management, ensures suitable tools and resources are available, and provides guidance and advice to all those elsewhere in the business who are actually carrying out the risk assessment activities.
Not only does such a central resource ensure that risk management, initially, and then subsequently, receives the attention it deserves, but it also provides the essential structure in which risk assessment results throughout the organisation can be accurately described as ‘repeatable and comparable’. ‘Repeatable and comparable’ is a key requirement of the risk assessment methodology, as defined in ISO27001.
It is entirely up to the individual organisation to choose who is to undertake, or rather coordinate, the risk assessment, and how. There are two issues to consider before deciding who. The first is that the standard expects that periodic reviews of security risks and related controls will be carried out – taking account of new threats and vulnerabilities, assessing the impact of changes in the business, its goals or processes, technology and/or its external environment (such as legislation, regulation or society) and simply to confirm that controls remain effective and appropriate. Periodic review is a fundamental requirement of any risk assessment or risk management strategy.
The second issue is that it is an assumption of the standard (stated in the foreword) ‘that the execution of its provisions is entrusted to appropriately qualified and experienced people’. It is essential that the risk assessment is managed by an appropriately qualified and experienced person. This is logical; the key step on which the entire ISMS will be built needs, itself, to be solid. The ISO27001 auditor will, therefore, want to see documentary evidence of the formal qualifications and experience of this person; at least that they have been reviewed and accepted by management.
A number of organisations will, as we have seen, already have a risk management function, staffed by people with training that enables them to carry out risk assessments. The role of the risk management team is, usually, to systematically identify, evaluate and control potential losses to the organisation that may result from things that haven’t happened yet. The skills and methodology of this group may, or may not, also meet the requirements of ISO27001. Either way, there are potentially significant benefits for such an organisation if its information security risk assessments can be carried out by the same function that handles all risk assessments.
The benefits lie not just in cost effectiveness, but in the fact that such a risk management, or risk control resource, will have an existing and ongoing understanding of the business, its goals and environment, and an appreciation of all the risks faced by the business in the pursuit of its objectives. Equally, they should be able to assess how all the different risks, and the steps taken to counter them, are related and coordinated. This, of course, also helps address the requirement that the risk assessment is conducted in the wider business risk context.
Many organisations, however, do not already have an internal risk management function. There are two possible ways to tackle the issue of risk assessment. The first is to hire an external consultant (or firm of consultants) to do it. The second is to train someone internally to do it. The second is preferable in most cases, as the risk assessment ‘shall be reviewed at appropriately defined intervals as required’ and having the expertise in-house enables this to be undertaken cost-effectively. It also increases ownership of the process and the resulting ISMS.
In circumstances where the organisation has existing arrangements with external suppliers for risk assessment services, or is in the process of setting up a risk management function or capability (in the context of responding to the requirements of the increasing corporate governance and regulatory requirements, perhaps), then it should, from the outset, investigate ways in which its risk assessment processes could be integrated.
It is more difficult for a smaller business to retain specialist information security expertise in house than for a larger one; the internal risk assessment role needs to be maintained over time and the person concerned needs to continue being trained and involved in both information security and risk assessment issues, both inside and outside the organisation.
The disadvantage of hiring external risk assessors, apart from the cost, is that the organisation does not necessarily get continuity of involvement from individuals within a firm of assessors. The advantage of the external hire, apart from it being a variable cost, is that the external assessor should be up to date on relevant issues and should be wholly objective. A possible middle route is to contract on a multi-year basis, with an appropriately trained individual or consultancy firm to personally provide this service as and when it is required, working closely with identified internal staff. However the organisation chooses to acquire this resource, it is crucial that s/he is in place and able to be fully involved in the risk analysis and assessment process that this book describes.
We have already said, categorically, that board and senior management support for the ISMS and, by extension, for the risk management process is critical. However, senior management support on its own will not be sufficient for the organisation to succeed: responsibilities need to be devolved to a number of people throughout the organisation. The risk assessment process will rely on input from a wide range of sources, and all those people who are most able to provide knowledgeable and informed input and decisions must contribute to the process.
The people who should support25 and participate in the risk management process include:
Chief Information Officer (CIO): is responsible for the organisation’s IT planning, budgeting and performance, including its information security components. Decisions made in these areas should be based on an effective risk management programme. Unless the CIO has substantial business experience and can communicate effectively and convincingly across the business-technology gulf that exists in most organisations, the CIO should not lead the ISO27001 project. Achieving ISO27001 is a business change project, not an IT project.
Senior executive management: are accountable to the board and have ultimate operational responsibility for achieving the organisation’s goals. They must be committed to the project and must, therefore, ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish those goals. They must also assess and incorporate the results of the initial and ongoing risk assessment activity into their decision-making process. An effective risk management programme that assesses and mitigates information-related risks requires the support and involvement of senior management – without whose active and committed involvement an ISO27001 project is, in any case, doomed to fail.
Business managers (who are also likely to be information asset ‘owners’): are responsible for determining the criticality and sensitivity of business operations and, therefore, of the information assets on which those business operations depend. Business managers are best placed to assess the real asset value which, as we shall see shortly, will inform the impact side of the risk assessment equation.
Business and functional managers: those responsible for business operations and the procurement process; they must also take an active role in the risk management process. These managers are the individuals with the authority and responsibility for making the trade-off decisions essential to achieving business objectives. Their involvement in the risk management process helps deliver effective security for the information systems, helping the organisation achieve its objectives with minimal expenditure on resources.
Information security officers (ISOs), information security managers and computer security officers: are responsible for their organisation’s information security activity, including the implementation of risk treatment decisions. ISOs should all be appropriately qualified; appropriate qualifications are those (such as CISM, CISMP) that are focused on managing information security, rather than its technical implementation.26 ISOs have a leading role to play in introducing an appropriate, structured methodology that helps identify, evaluate and minimise risks to the information assets and IT systems that support the organisational objectives. Critically, therefore, ISOs must have risk assessment competence and the organisation needs to have made adequate provision for risk assessment training.
ISOs can also act internally as key consultants in support of senior management to help ensure the success of the ISMS project.
IT security practitioners (including network, system, application and database administrators, computer specialists, security analysts and security consultants): are responsible for the proper implementation of control requirements in their IT systems. IT security practitioners should be appropriately skilled and trained, and should have relevant, current technical qualifications (e.g. CCNA, CCSA)27 related to those technologies for which they are specifically responsible.
As changes occur in the existing IT system environment (e.g. expansion in network connectivity, changes to the existing infrastructure and organisational policies, or the introduction of new technologies), the IT security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their IT systems.
Technical/functional personnel: are most able to form practical and realistic opinions on the likelihood of occurrence of the threat-vulnerability combinations that will be identified as compromising individual information assets. Technical personnel include all those with relevant technical or functional expertise, including the facilities management team for physical security issues, HR for personnel, IT for information technology, those with responsibilities for utilities and other aspects of the corporate infrastructure, the finance team, the audit team, etc.
System and information asset owners: are responsible for ensuring that proper controls are in place to protect the integrity, confidentiality and availability of the information systems and information assets (data) they own. Typically, the system and information owners are also responsible for changes to their information assets. Thus, they might have to approve and sign off changes to their information systems (e.g. system enhancements, major changes to the software and hardware). The system and information owners must, therefore, understand their role in the risk management process and fully support it.
The initial role of the individual asset owner in the risk assessment project is two-fold: first, s/he is responsible for estimating the value of the asset for which s/he is accountable, following the principles set out in Chapter 6, and applying the appropriate level of sensitivity classification; second, s/he is responsible for identifying all threat-vulnerability combinations that might relate to the asset. Any risk assessment tool that you use must be capable of allowing asset owners to provide this information, either through some form of information collection device or through online functionality.
Training team: this should include subject-matter experts and the champion users of the organisation’s information systems, and these people have a key role to play. Use of the information systems and data according to an organisation’s policies, guidelines, and specific procedures are critical to mitigating risk and protecting the organisation’s resources. To minimise risk to the information systems, it is essential that system and application users be provided with security awareness training. Therefore, the information security trainers or security/subject matter professionals must understand the risk management process, so that they can develop appropriate training materials and incorporate risk assessment into training programmes that are effective for the end users. Much of this training can be delivered through online learning or other media that ensures consistent delivery of a clearly articulated training message.
25 NIST SP 800-30 provided most of the detailed role descriptions used here.
26 See www.itgovernance.co.uk/infosec_quals.aspx for all the key information security management qualifications and graduate/post graduate courses. Each qualification has different strengths and weaknesses; it is not unusual for individuals to accumulate more than one qualification.
27 See www.itgovernance.co.uk/infosec_quals.aspx for a list of some of the key, current vendor technical qualifications.
18.116.86.255