the basics of risk assessment and treatment according to iso 27001 presentation deck
TRANSCRIPT
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 1/19
The basics of risk assessment
and treatment according toISO 27001
Presenter: Dejan Kosutic
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 2/19
©2015 27001Academy www.advisera.com/27001academy
• Open and close yourPanel
• View, Select, and
Test your audio• Submit text
questions – they willbe addressedthroughout thesession
• Raise your hand
GoToWebinar Control Panel
2
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 3/19
©2015 27001Academy www.advisera.com/27001academy 3
Which are the basic steps in ISO 27001risk assessment and treatment?
If you’re planning to start the riskassessment…
… to succeed, you need to understand the
significance of risk management, and learnwhat is acceptable according to thestandard
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 4/19
©2015 27001Academy www.advisera.com/27001academy 4
Risk management is the critical first
step in ISO 27001 implementation –it determines everything thathappens afterward.
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 5/19
©2015 27001Academy www.advisera.com/27001academy
Agenda
5
• Why risk management?• The process of risk management
• Elements of risk assessment
• Identification of assets• Threats and vulnerabilities
• Impact and likelihood
• 4 options for risk treatment• Biggest challenges with risk management
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 6/19
©2015 27001Academy www.advisera.com/27001academy
Why risk management?
6
Information security management (ISO 27001)
Measurement
(ISO 27004)
Safeguards
(ISO 27002)
Risk
management
(ISO 27005)
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 7/19
©2015 27001Academy www.advisera.com/27001academy
The process of risk management…
7
Your TextAnalyze and assess
Your TextMandatory procedures
Your TextRisk assessment methodology
Your TextRisk assessment
Your TextRisk treatment
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 8/19
©2015 27001Academy www.advisera.com/27001academy
…The process of risk management
8
Your TextMandatory procedures
Your TextStatement of Applicability
Your TextRisk treatment plan
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 9/19
©2015 27001Academy www.advisera.com/27001academy
Elements of risk assessment
9
Risk identification
AssetThre-
at
Vulne-
rability
Risk analysis
ImpactLike-
lihood
Risk = Impact x Likelihood
(or) Risk = Impact + Likelihood
Riskowner
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 10/19
©2015 27001Academy www.advisera.com/27001academy
Assets – What do we protect?
10
• Examples:
• Hardware
• Software
• Information (electronic, paper etc.)
• Infrastructure
• People!
• etc.
• Identification of asset owners
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 11/19
©2015 27001Academy www.advisera.com/27001academy
Threats – What can happen?
11
Examples:
• Fire
• Earthquake
• Computer viruses
• Bomb threat
• Equipment malfunction• Key people leaving the company
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 12/19
©2015 27001Academy www.advisera.com/27001academy
Vulnerabilities – Why can thathappen?
12
Examples:
• Lack of fire-extinguishing system
• Lack of business continuity plans• Lack of anti-virus software
• Lack of incident response procedures
• Obsolete equipment• Lack of replacement
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 13/19
©2015 27001Academy www.advisera.com/27001academy
Impact and likelihood
13
• Example of assessment scale:
• High
• Medium• Low
• Or:
• 1 to 5• 1 to 10
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 14/19
©2015 27001Academy www.advisera.com/27001academy
Example of Risk assessment table
14
Asset Owner Threat Vulnerability Impact
(1-5)
Likelihoo
d (1-5)
Risk
(=I+L)
Server Admin. Electricity
outage
No UPS 4 2 6
Fire No fireextinguisher
5 3 8
Contract Managing
director
Access by
unauthorized
persons
The contract is
left on a table
4 4 8
Fire No fire
protection
4 3 7
System
administra
tor
Departm
ent head
Accident No-one else
knows the
passwords
5 3 8
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 15/19
©2015 27001Academy www.advisera.com/27001academy
4 options for risk treatment
15
Applyappropriate
controls
Accept risks
Avoid risks Transfer risks
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 16/19
©2015 27001Academy www.advisera.com/27001academy
Biggest challenges with riskmanagement
16
• What assets to include in the scope for riskassessment
• Trying to justify the costs for implementing the
safeguards• Proper asset identification, classification,
threat identification and prioritization
• Risk assessment methodology is not defined• Willingness of busy technical people to subject
themselves to the time-consuming process
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 17/19
©2015 27001Academy www.advisera.com/27001academy
Conclusion
17
Don’t skip the risk assessment and
treatment – without this kind ofanalysis your information security
will be full of holes!
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 18/19
Q & A
Dejan Kosutic
7/25/2019 The Basics of Risk Assessment and Treatment According to ISO 27001 Presentation Deck
http://slidepdf.com/reader/full/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-presentation 19/19
www.advisera.com/27001academy/webinars