Risk and context

Risk tree...for Certification










This being the 3rd in the series about information and cyber security risk; but who's counting?

ISO/IEC 27001:2013 (27K1:13) sets out the requirements for an information security management system (ISMS).  ISO tells us that an ISMS is:
a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
There are some key words and phrases within that statement:
  1. Sensitive company information,
  2. Secure,
  3. People, processes, and IT systems,
  4. Risk management process.
Starting at the top; information, sensitive information to be more precise that if not protected (kept secure) could perhaps result in a negative consequence. Keep in mind though, risk is not just about the negative, it is also about opportunities.

Can 'sensitive' (whatever that means) information actually protect itself, or is there a need to include other components to help protect this 'asset' such as people; processes; and information technology (IT) systems?

A second question; what does sensitive mean? Of course, it is going to mean different things to different businesses; what is sensitive to one may not be sensitive to another. It's all a matter of context, and context is very important.

In order to develop a risk management process the first item on the agenda must be the identification and understanding of the context for which this risk process is to be developed; i.e.: the environment in which the business operates, and is able to function. 

Knowing the context will, perhaps, explain just what 'sensitive' means to the business. It will also tell us the people that may be involved (internal and external), the additional processes that may be required, and given that technology is the one ring to rule them all, what IT systems may be involved, wherever they may be.

Having said all of that there is another oddity to think about; well a few of them, but let us stick with one for the moment.

What is meant by an asset, and in particular an information asset? 27K1:13 does not help answer the question, it doesn't define the term. A quick peek at ISO/IEC 27000:2018 (ISMS, overview and vocabulary) states, "Information is an asset that, like other important business assets, is essential to an organization’s business and, consequently, needs to be suitably protected." Going further afield to the National Institute of Standards and Technology (NIST) and its Glossary does not help either.

In which case:
  • Asset, something of value (to the business),
  • Information, any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. An instance of an information type. (NIST)
Therefore:
  • The business that creates, processes, stores, shares, transmits knowledge of its own intellectual property (IP) in the form of data would, one suggests, be referring to an information asset. IP has value to the business, and when in the form suggested, it becomes an information asset,
  • The business that creates, processes, stores, shares, transmits knowledge of personal data in the form of data, this too can be referred to as an information asset. The value in this case is to the data subject, but it is likely to be of value (in a slightly different context) to the business. 
The tools:
  • A device (workstation, laptop, smart phone, pad of some description) that helps a user (or indeed another device) in being able to create, store and then transmit IP is simply that, a tool. 
  • An application sitting on the device (or elsewhere) is yet another tool that facilitates the creation, storing and transmission.
  • The tools are assets (items of value) in their own right, but
  • These tools are not information assets!  
Important: if you have not already worked it out, there is a relationship going on here between the information, the tools, and the user. And this relationship is most important when looking at risk!

Things to take away:
  • Know what is meant by an ISMS;
  • Look at the context of the business to understand where information and cyber security risk will be positioned (scope);
  • Get to know what assets (those items of value to the business) are within scope,
  • Look for the relationship between the information assets and the many, and varied tools that are used within scope.
As a final thought; when reflecting upon the many and varied tools used within the business (think about: people; processes; IT systems, for a start) where are the 'weaknesses' or 'vulnerabilities' most likely to be found - the tools or, the information?
KanSecurity (NL)

Popular posts from this blog

Risk and micro, small business

Risk and Certification

Sleepless nights, and business owners