Cyclical risk analysis

This risk analysis process/method blends risk, security, incident and problem management, creatively combining imaginary with actual data and concerns:
  1. Imagine you've experienced a 'typical' incident affecting whatever [information] asset/s you are risk-assessing - such as a physical incident affecting the office. Consider various types of incident, of various scales and importance e.g. an office break-in, vandalism, professional hit, insider theft, fire, flood ... or whatever. For now, pick out whatever type/s of incident seems most likely and/or damaging for further consideration - not least, real incidents that have occurred (this analysis might follow an actual incident for maximum reality!). Start exploring the associated threats, vulnerabilities and impacts, using information about actual incidents (under similar circumstances) to inform your analysis - or wing-it using common sense. This step initiates the risk analysis, clarifying the asset/s and risks of most concern. Press ahead ...

  2. Following this imaginary incident, how would you know what had occurred? What indications would there be of the incident? How soon would it be discovered? When, by whom and how? Consider the possibility of gradual/non-obvious incidents (e.g. overloaded smouldering power cables, or where everybody is busy and assumes someone else is responsible), deliberately concealed incidents (e.g. insider thefts) and incidents with little if any indication (e.g. intellectual property theft - spying). This prompts you to think about detective controls e.g. alarms, warnings, indicators ...

  3. What would your immediate reactions be? What would you do first? Who would need to be involved? What would you need to make that work well? Use the incident scenario to explore/improve your incident response plans and preparations. Consider a desktop walk-though or an exercise to check them out more realistically.

  4. How would you investigate and resolve the incident? Again, consider who, what, when, how, why ... What information and skills would be essential or most valuable for the investigation (e.g. records, logs, CCTV footage, forensics, fire investigators)? Also, what could/would you do to minimise the damage ang get things back to normal ASAP? What would be the priorities for the business? This step extends/deepens your exploration of the incident response, including the corrective controls and a little Business Impact Analysis for good measure.

  5. Thinking back to step 1, is the incident worrying enough to improve the preventive controls? What else can/should be done to prevent the incident - and others affecting the same asset/s? Consider reducing the threats, vulnerabilities and/or impacts. Estimate how much disruption and cost this imaginary incident would have caused, roughly. Are we talking minor expense and inconvenience, big trouble, expensive repairs, compliance penalties, business failure, death and destruction, cataclysm ...? Apart from workers and the organisation/business itself, who else would/might have been materially affected (e.g. other residents of the same burnt-out building; customers; authorities; passers-by)? How many days/weeks/months/years later would these problems persist? Given even an approximate frequency of occurrence of this particular incident or of similar incidents (e.g. once a day, once a week, once a year, once a decade ...), this assessment may be enough to justify investing in implementing or improving cost-effective preventive controls, or at least consider the possibilities, pose other questions and gather more info to firm-up the details, particularly for large/unusual investments or where the benefits are marginal or dubious.

    [Hinson tip: management may be willing to invest on gut feel without a fully developed business case, may already have strategic plans in this area, or may simply have some spare cash at the moment, saving analytical resources for other stuff - so approach management for advice early-on before getting totally bogged-down. Better still, engage/involve management actively in the entire exercise!]

  6. Lather, rinse, repeat. Pick other incidents, other scenarios, other assets, other controls, other possibilities on each run through the cycle. Risk management is a never-ending quest for perfection, particularly as things keep changing and risks can never be totally eliminated. Keep on knocking down the biggest risks.

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more