Risk Assessment, the ISO maze

Posted on January 21, 2013 by Vijayashankar Na

Extensive promotion has made ISO 27001  the key recall when we think of “Risk Assessment”. No doubt ISO 27001 is the most popular ISMS framework. The fact that it lends itself to certification makes it attractive to organizations which want the certificate to plug in some compliance requirements.

However ISO is a maze. It is an excellent strategy for ISO to make money creating numerous documents and specifications sold at fancy prices. But for the users, the multiple frameworks with overlapping provisions make it increasingly difficult to cut through this maze and find out what is good for an organization.

While many are still confused with ISO 9000 series and 27000 series itself, of late more terminologies are coming out into the open. For example what is ISO 31000? What is ISO-2000-1 ? What is ISO 22301? how are they related to ISO 27001? are questions that often arise in the minds of corporate executives who need to take decisions about budgeting the ISO audits.

ISO 27001 is an ISMS standard focused on the keyword “information” protection. Information asset is ‘anything that has a business value”. In other words if an organization is seeking to protect all forms of information against unauthorized access (Confidentiality), unauthorized modification (integrity), and protection against loss and destruction (Availability), the standard provides a series of controls that enables you to pick and chose those that are relevant based on a formal asset-wise risk assessment. ISO 27001 certification involves 133 controls which aims are a combined secure architecture, preventive, detective controls and several controls and encompass procedural, physical, technical and personnel controls.

On the other hand, ISO 31000 standard aims to cover almost all areas of organization risk. So it covers personnel, operations, information, and financial. It is however a generic standards and does not cover the specifics. This is not a certification standard, and organization use it compare best practices. Unlike other standard the degree of implementation interpretation is left to users and advisers/consultants/internal auditors used by the organization. In comparison ISO 27001 addresses specifics and requires asset-wise risk valuation which should clearly articulate the state of an asset and its control environment.

The latest in the standard family (in terms of inclusion of the word ‘risk’) is ITSM – ISO 20000 certification which is aimed at making traditional IT organization/department free from service risk. It is aimed at making IT as a ‘service’ department and the standard has best practices aligned with ITIL. You would choose this if you wish to make your IT a “service” organization. A “service” catalog is a starting point for this and makes your organization aligns with business objectives.

Further, ISO 22301 – ‘societal’ business continuity management system is upgraded version of BS 25999 and gives more meaning to the scope of business continuity. ISO 22301 certification showcases the ability of an organization to demonstrate its ability to deliver in case of a disaster.

Within ISO 27000 family, every standard from the ISO 27000 series is designed with a certain focus – if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; if you want to implement controls, you should use ISO 27002, if you want to carry out risk assessment and risk treatment, you should use ISO 27005 etc. There is a logic for the multiplicity though it is rather convoluted.

If we look through the above standards, it is clear that ISO is creating more confusion in the IS implementation community and trying to offset competition from other frameworks such as COSO or COBIT by creating multiple standards within its own fold.

It must be noted that most organizations have used and continue to use ISO 27001 to show their continuity maturity. It is not clear if the ISO organization expects corporates to implement ISO 31000 or 2000-1 for building a security culture and certify with ISO 27001 and ISO 22301 so that ISO gets multiple revenues. This also results in a multiple cost burden on the organizations which will certainly hurt the brand ISO.

One would not be surprised if this strategy borne out of a typical brand marketing exercise used in the marketing of consumer products such as soaps and shampoos with adjectives such as “New”, “New and Improved” etc backfires in the more informed Information Security market. Companies would soon find it more comfortable to back other frameworks which are sure of what they are doing.

I hope the Government of India (DIT) which has given an unfair, unconstitutional, misleading parliamentary endorsement for ISO 27001 in its “Reasonable Security Practices” notification of April 29, 2011, takes note of this situation and understands that it is backing up the wrong horse.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Information Assurance, Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.