“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Alan Calder

CEO, Vigilant Software

Thursday May 16th PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING.

Q&A IS HANDLED THROUGH A COMBINATION OF WEBEX CHAT/TEXT AND VOICE

The Importance of Risk Management

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Alan Calder

• CEO and founder of Vigilant Software

• Acknowledged information security/risk management

thought leader

• Managed the world’s first successful ISO27001 (then

BS7799) implementation project in 1996

• Frequent media commentator on risk management

issues

• Co-author of vsRisk™ – the definitive cybersecurity risk

assessment tool

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Today’s Webinar in Context

• Today’s webinar is #2 in an educational series.

• The 4 webinars are designed to take you on a learning

journey:

• Webinar 1 - Why ISO 27001 for my Organisation?

• Webinar 2 (Today) – The Importance of risk management.

• Webinar 3 – Carrying out a risk assessment using vsRisk.

• Webinar 4 – Maintaining/updating your risk assessment using

vsRisk.

Registration details of future webinars at the end.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Today’s Agenda

• A short 20-30 minutes educational and informative talk:

• Quick recap of last week’s webinar – Why ISO 27001 for my

Organisation?

• The importance of risk management.

• Ample time for Q&A.

• Next steps.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Recap – last week’s webinar

In last week’s webinar we covered:

• What is information security?

• What is an information security management system (ISMS)?

• What is ISO 27001?

• Why should I and my organisation care about ISO 27001?

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Information Security Terms and Phrases

Information security: preservation of confidentiality, integrity and availability of

information; in addition, other properties, such as authenticity, accountability, non-

repudiation, and reliability can also be involved

Confidentiality: the property that information is not made available or

disclosed to unauthorized individuals, entities, or processes

Integrity: the property of safeguarding the accuracy and completeness of assets

Availability: the property of being accessible and

usable upon demand by an authorized entity

Asset: anything that has value to the organization

6

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

What is a Risk?

A risk exists where there is an identifiable likelihood of an

identified threat exploiting an identified vulnerability in

relation to the confidentiality, availability or integrity of an

asset, and where that compromise will have a quantifiable

impact on the organisation.

Without likelihood and impact, there is no risk.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

What is a risk assessment?

• A risk assessment is the core competence of

information security management.

• ISO 27001 explicitly asks for:

• a risk assessment to be carried out before any controls are

selected and implemented.

• every control to be justified by a risk assessment.

• Plan-Do-Check-Act model.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Plan-Do-Check-Act

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

What is a risk assessment?

• The risk assessment must:

• Identify the threat/vulnerability combinations that have a

likelihood of impacting the confidentiality, availability or

integrity of each asset within a scope.

• This must be done from a business, compliance or contractual

perspective.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Benefits of risk assessment?

• Spend on controls is balanced against business harm likely to

result from security failures.

• Existing over-expenditure can be re-allocated to areas of weakness

• Information security management decisions are entirely made by the outcomes from a risk assessment – so they are objective

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Assets Threats Vulnerabilities

Risks

Countermeasures/Safeguards

Identification and implementation

Analysis

Treatment

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Risk Management: Asset Documentation

Produce inventory of all assets:

All physical computing resources (computers, servers, PDAs, etc.)

Buildings

Telephones, mobile phones

Storage facilities

Information assets: databases, documentation, blueprints

People

Maintain Asset Register! Control Cat. A.7 is Asset Management: consider when preparing for risk assessment.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Risk Management: Asset Management

• Responsibility for assets.

• Information classification.

• Sensitivity guidelines.

• Sensitivity labelling.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Risk Assessment - Objective

To inform a proper balance of safeguards against risk of

failing to meet business objectives.

• For a given exposure, removal of safeguards will increase the

risk of loss.

• Too many safeguards could make the security system too

expensive/bureaucratic.

• Method by which expenditure on security and contingency can

be justified.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Risk assessment

• Define approach.

• Comparable and reproducible.

• Develop criteria for acceptance of risk and identifying

acceptable level of risk.

• Risk Acceptance Criteria

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Treatment of Risk

After completing analysis of risk, you need to decide how to

manage it.

Treatment of risk.

• Accept? (Criteria already developed).

• Eliminate the risk by work around or other arrangements.

• Control the risk to bring it to an acceptable level.

• Transfer it to a third party (e.g. via insurance).

Then select controls.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Safe and Secure - The Importance of Risk

Management

• An Information Security Management System (ISMS) will

help your organisation to become ISO 27001 certified.

• This certification will tell your potential customers,

employees and partners that your information systems

are safe and secure.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Safe and secure – so what?

• It’s not your word – your information systems are safe and secure to

a recognisable, externally audited, international standard.

• Tells existing and potential customers, employees and partners, as

well as regulators that you have defined and put in place effective

information security processes, thus helping create a trusting

relationship.

• You are good to do business with!

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Summary

• Information Security risk analysis is a difficult task

involving experience and knowledge of the environment

being analysed.

• A number of risk analysis and management methods

have been proposed for both commercial and

government sectors: These methods are currently

available either in the form of guidelines to be applied

manually or as software packages.

• There are tools to help – vsRisk demoed in next week’s

webinar.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Next Steps – Upcoming Educational Webinars

• Webinar 3 – Carrying out a Risk Assessment using

vsRisk - Thursday May 23rd, 4pm UK Time.

• Webinar 4 - Maintaining and Updating your Risk

Assessment using vsRisk - Thursday May 30th, 4pm UK

Time. Includes announcement of special offer for vsRisk

for webinar registrants.

• Register for both/either at

http://www.vigilantsoftware.co.uk/webinars.aspx

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Before the next webinars… Read a book…

Read the world's first practical e-book

guidance on achieving ISO 27001

certification and the nine

essential steps to an effective ISMS

implementation.

Available on offer at £25.95

(normally £29.95) at

http://www.vigilantsoftware.co.uk/pr

oduct/1651.aspx

Download a free trial of vsRisk

The information security risk

assessment tool compliant to ISO

27001 that automates and

accelerates the risk management

process.

15-day free trial at

http://www.vigilantsoftware.co.uk

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Next Steps – Want to know more?

If you would like to know more about ISO 27001, including

how to carry out an ISO 27001-compliant risk assessment,

please visit http://www.vigilantsoftware.co.uk or email

servicecentre@vigilantsoftware.co.uk.

“The definitive risk assessment tool for ISO27001 certification”

Copyright © Vigilant Software Ltd 2013

Questions – we welcome them all!

Please type your questions into the Webex chat window –

responses will generally be verbal and shared with all

delegates.