Risk Management – What is it? What are the benefits to InfoSec and ISO 27001?
In this the first of a series of blogs on risk, we are going to look at the pivotal role that risk management plays in helping us protect our information assets. We are also going to
explore why the focus on a risk-based approach has helped turn ISO 27001, the
International Information Security Management Standard, into such a world-beater.
Before we dive in, let’s set the scene and try to define what we mean by risk and risk management.
What is ‘risk’?
Here’s an interesting challenge. Ask 5 of your colleagues to tell you what they understand by risk, and we’ll be very surprised if you get the same answer, nor would we be surprised if some struggle to answer the question at all. Let’s see how the international standards define risk, starting with ISO 31000 the International Standard for Risk Management – Principles and guidelines. The Standard defines risk as the ‘effect of uncertainty on objectives’. We find this definition a little nebulous, which is probably not surprising given the universal nature of ISO 31000 and that it addresses all types of risk. However, ISO 27000 expands on the ISO 31000 definition and comes up with something more substantial and specific i.e. ‘Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.’
Implicit in this definition is that in order for a risk to exist there must be something that we care about, in this case, information and, more specifically, the confidentiality, integrity and availability of information. You can also see the importance of viewing risk from the perspective of achieving business objectives. If you’re a healthcare services provider, for example, and your goal is to win and maintain more clients, it’s imperative that you protect the confidentiality of any personal data. Once you have identified that it is the confidentiality of personal data you particularly care about, you can then start to look at the threats and vulnerabilities that could lead to a breach of confidentiality of personal data.
What is risk management?
OK, let’s start with the ISO 31000 definition, which is the ‘coordinated activities to direct and control an organisation with regard to risk’. To expand on this, we are looking at activities which allow us to better identify, analyse and evaluate risks and allow us to manage them proactively in order to minimise any possible damage and maximise any opportunities. The last point is important, in that whilst risk generally has a negative association, there can be positive outcomes. If your organisation, for example, has a well-developed risk management process in place, this can provide you with a competitive advantage viz-a-viz your competitors, e.g. evaluating whether it would be advantageous to enter a new market. Without a robust risk management process, you could either miss the opportunity or enter the market blindly, hoping that it pays off.
Why is risk management important to information security?
The confidentiality, integrity and availability of our information assets are threatened by a vast array of internal and external threats and there is no way we can protect ourselves against every potential threat. In essence, risk management enables us to target our efforts and security measures where they are most needed and are going to give us the best return for our investment. This is naturally important, as none of us have unlimited resources, be that finances, manpower, competence or time. There is also the other aspect to consider – even if we did have unlimited resources, and we apply information security controls indiscriminately, productivity would almost certainly suffer. As per URM’s strapline, it’s all about getting the balance right and in this case it’s about achieving the optimum trade-off between security and productivity. There really can be too much security!
The key aspect to risk management is that it enables organisations, in a world of uncertainty, to make informed decisions about which risks are considered the most urgent to address. Essentially, the ones which present the greatest danger to the most valued information assets taking into account likelihood and impact.
Why is risk management so important to ISO 27001?
By adopting a risk-based approach, ISO 27001 acknowledges that organisations are all different, e.g. in size, industry sector, ownership, organisational structure, maturity, business objectives, risk appetite, culture. Not only that, the Standard also takes account of the fact that we are all operating in a dynamic, changing environment, where some are growing and others are consolidating. We are all subject to external changes, such as regulation or legislation changes and the emergence of new competition and new opportunities. Threats to our information assets are also changing and nowhere more so than in the Cyber World. We are constantly under attack from new scams or old scams with a new twist, all aimed at gaining unauthorised access to our information, our most valuable asset.
ISO 27001 clearly recognises that there is ‘no silver bullet’ or ‘one size that fits all’ solution to information security. As such, it does not prescribe any specific controls (just a set of 114 controls we can consider). What it does, however, is to prescribe a continual improvement management system which has risk assessment and risk treatment at its heart. Thereby, we can all proactively implement a set of security measures which are tailored to our specific information assets and the threats to those assets, whilst at the same time allowing us to factor in things such as business objectives and risk appetites.
Having, (hopefully!) set out the importance of risk management, in our next blog we are going to address the challenges of calculating risks, and conducting risk assessments and risk treatment activities.