BS ISO IEC 27005:2011 pdf – lnformation technology-Security techniques——lnformation security risk management.
The effectiveness of the risk treatment depends on the results of the risk assessment. Note that risk treatment Involves a cyclical process of:
• assessing a risk treatment;
• deciding whether residuaJ risk levels are acceptable;
• generating a new risk treatment if risk levels are not acceptable; and
• assessing the effectiveness of that treatment
It is possible that the risk treatment will not immediately lead to an acceptable level of residual risk. In this situation, another iteration of the risk assessment with changed context parameters (e.g. risk assessment, risk acceptance or impact criteria), if necessary. may be required, followed by further risk treatment (see Figure 2, Risk Decision Point 2).
The risk acceptance activity has to ensure residual risks are explicitly accepted by the managers of the organization. This is especially important in a situation where the implementation of controls is omitted or postponed. e.g. due to cost.
During the whole information security risk management process it is important that risks and their treatment are communicated to the appropriate managers and operational staff, even before the treatment of the risks, information about identified risks can be very valuable to manage incidents and may help to reduce potential damage, Awareness by managers and staff of the risks, the nature of the controls in place to mitigate the risks and the areas of concern to the organization assist in dealing with incidents and unexpected events in the most effective manner. The detailed results of every activity of the information security risk management process and from the two risk decision points should be documented.
ISGIEC 27001 specifies that the controls implemented within the scope, boundaries and context of the ISMS need to be nsk based. The application of an information security risk management process can satisfy this requirement. There are many approaches by which the process can be successtully implemented in an organization. The organization should use whatever appoach best suits their circumstances for each specific application of the process.
In an ISMS. establishing the context, risk assessment. developing risk treatment plan and risk acceptance are all part of the plan’ phase. In the do phase of the ISMS. the actions and controls required to reduce the risk to an acceptable level are implemented according to the risk treatment plan. In the check phase of the ISMS. managers will determine the need for revisions of the risk assessment and risk treatment in the light of incidents and changes in circumstances In the acr phase, any actions required, including addeional application of the information security risk management process, are performed.
The following table summarizes the information security risk management activities relevant to the four phases of the ISMS process:
7 Context establishment
7.1 General considerations
InpuL. AU information about the organization relevant to the information security risk management context establishment.
Action: The external and internal context for information security risk management should be established. which involves setting the basic criteria necessary br Inbormatlon security risk management (7.2), detinang the scope and boundanes (7.3), and establishing an appropnate organization operating the information security risk managentent (7.4).
Implementation guidance
It is essential to determine the purpose of the information security risk management as this affects the overall process and the context estabashment in particular. This purpose can be:
0 Supporting an ISMS
0 Legal compliance and evidence of due diligence
0 Preparation of a business continuity plan []
Preparation of an incident response plan
0 Description of the Information security requirements for a product, a service or a mechanism
Implementation guidance for context establishment elements needed to support an ISMS is further discussed in Clauses 72 7.3 and 7.4 below.
NOTE ISOIEC 270012005 does riot use the term oontexV. However all of Clause 7 relates to the rec.iremerits ‘define the scope and boundanes of the ISMS [42.1 all. define an ISMS policy 14.2.1 bfl and deflne the risk assessment approadi 14.2.1 cli, siecthed in ISOIEC 270012005.
Outeut: The specification of basic orilena, the scope and boundaries, and the organization for the information security risk management process.