Risk and Certification

-

Risk too...for Certification











The previous discussion on information and cyber security risk was focused toward the micro and small business; the purpose being an attempt to get their ball-rolling on looking at risk.

Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) needs the business to seriously focus on information and cyber security risk. In fact, clause 6 (Planning) and its sub-clauses are all focused on risk; this is the 'plan' element of the plan, do, check, act (PDCA) dance. On the other hand, clause 8 (Operation) and in particular 8.2 and 8.3 are all about carrying out risk assessment and treatment, the 'do' element of PDCA.

The International Organisation for Standardisation (ISO) does not dictate to your business any particular process or methodology for risk. But, whatever process you adopt it must produce consistent, valid and comparable results (clause 6.1.2b). If not, the system will collapse because, and let me be frank about this, it will not be an effective. 

ISO/IEC 27001:2013 (27K1:13) is split into two parts - Clauses, and Annex A.  Whilst the clauses will need some serious interpretation, it is Annex A that appears to cause one of the biggest challenges.

Let's bust a myth here; Annex A is catalogue of 114 controls, and as pointed out within ISO/IEC 27003:2017 (information security management system, guidance) they are a generic representation of controls and as highlighted in 27K1:13 under note 1 within clause 6.1.3c; Annex A is there to ensure that no necessary controls are overlooked. Although Annex A is important, you are justified in using other control catalogues (e.g.: NIST SP 800-53r5 (or 4)) if they are more appropriate when addressing the business risk treatment options. It is a business decision, not an ISO or Certifying Body decision.

 Another myth to bust is one that is centred upon why a particular control (or set of controls) has been implemented. There is a simple answer to this conundrum; it is because the business has identified a need through the risk assessment process; a decision has been made to treat that risk (in someway) and has implemented a particular control (or measure). It is a business decision, not an ISO or Certifying Body decision. 

The problem (and it is a serious problem) is when a business has simply knee-jerked, implemented a control (usually a technical one) without actually justifying (through the risk process) its need. In terms of your ISMS, and your certification, the cracks will start to form. If they do then any Certifying Body (CB) auditor worth their salt, will point these cracks out to you.

Final (for today at least) myth to bust is the Statement of Applicability (SoA). To kick-off, this is a required document (Clause 6.1.3d) that contains the necessary controls. To this end it is an output document, not an input document.  It is the output of your risk process all tied up with a nice neat bow. If your CB is due to audit your ISMS on Tuesday, then run the SoA off on the Monday - fresh, uptodate and ready to go. One final point on the SoA. This is a seriously important document, not simply for CB audit purposes, because it contains a 'roadmap' of your information and cyber security controls, and the status of those controls. Should the document ever fall into the wrong hands, just think about the consequences for a second or two. In fact, why not simply do a risk assessment on the information that the SoA contains, and determine what if any treatment/controls need to be put in place to protect (secure) that information.

Points to take away:

  • Information and cyber security risk management is central to your ISMS;
  • ISO does not dictate the risk process you adopt; there are stacks available - some good, some not so good - it's your choice. But, whatever you do, you must do something;
  • On the understanding that as a business you are in fact planning and operationally conducting risk assessments, the output (treatment/controls) will be a business decision, based upon its needs, not those of ISO or the CB.
  • Annex A is a reasonable (if a bit out of date) catalogue of controls; others are available, and you can use them or, design your own. On the understanding of course that you have justified why your are doing what you are doing through the risk process.
  • Your SoA is an output document that should be kept confidential to the business.
  • The direction of travel is - risk assessment process --> treatment options --> controls (measures).  Not, controls (measures) then fudge the risk process later on down the line. 
  • There is an awful lot more to achieve for example; the 'check' element of the PDCA dance has not yet been covered. Think about monitoring and reviewing the controls (measures) you have adopted. Do they remain valid?
  • Last (but not least) - communicate. Talk to people (internal and external stakeholders), let them know what is happening, or seek guidance. Whatever you do, communicate. 
KanSecurity (NL)





Popular posts from this blog

Black Swans and other things

-
Image
Back swans and other things. For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security. Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security] . Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question. Why, given the current situation of COVID-19, were many businesses unprepared? The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced
Read more

Personal data or PII

-
Image
PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Offic
Read more

Risk and micro, small business

-
Image
Risk; why is it so difficult? Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem. Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk.  That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by Acuity Risk Management's Stream application .  However, for the micro or small business the best approach is to keep things simple, for the moment at least. Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following: Source (what is the source of the thing that could happen - internal or external parties) Event (what is going to occur) Cause
Read more