Information security risk management is a wide topic, with many notions, processes, and technologies that are often confused with each other.
Very often technical solutions (cybersecurity products) are presented as “risk management” solutions without process-related context.
Modern cybersecurity risk management is not possible without technical solutions, but these solutions alone, when not put in the context of correct risk management processes (and in the context of information-related processes) of an organization might not be enough to properly manage risks of information processing or might even cause a false sense of security.
In this new series of articles, I will explain some basic notions related to risk management, introduce and describe the phases of cyclic high-level process risk management, give more details on each of the phases and introduce the NIST and ISO standards related to risk management.
In this article, I will review the definition of risk, goals of risk management and list the main NIST and ISO standards related to information security risk management.
Cybersecurity risk management vs information security risk management
First of all, let’s discuss shortly the difference between “cybersecurity risk management” and “information security risk management”. Before “cybersecurity” became a buzzword, professionals dealing with information security used only “information security” and “IT security” notions.
Obviously “information security” is a wider term. It concerns the security of information, stored, processed or transmitted in any form (including paper). Information security also concerns people, processes, legal/regulatory matters and insurance. (Yes, insurance is also a way to reduce risk – by transferring it – and is thus a security measure.)
“IT security” is a term concerning “IT”, that is Information Technology. So it concerns information processed in IT systems. Sometimes these notions (“information security” and “IT security”) were used (and still are used!) interchangeably, but formally this is wrong because IT system is a part of information processing system.
“Cybersecurity” is a nice buzzword of recent years. Almost everything is “cyber” these days 🙂 . Unfortunately this word has different meanings, depending on who uses it. The “cyber” part of this word suggests it concerns technology, so in my private opinion this word, “cybersecurity” is a younger brother of “IT security” (or, to be more precise, a younger clone 😉 ). What is wrong with this word in my opinion is that it is often used to describe (or in) high-level documents like policies or process descriptions that have nothing to do with lower-level technology. But this is the trend we cannot change – the “cybersecurity everything” approach has been present in information/IT security world for some time already and it is doing very well. So we have to adapt and adjust.
But at the same time we have to be very careful when using the word “cybersecurity” (do we really mean what we are saying?) and also when reading it (what does this word really mean in the context of other information it is “served” with?).
The goal of information security risk management
The main goal of information security risk management is to continuously address the risks to information processed by an organization. These risks are to be addressed according to the organization’s risk management policy.
The information security risk management is a part of general risk management of an organization, so it should be aligned with general, high-level risk management policy.
The realization of the above-mentioned goal of information security is dependent on the following elements:
- the information security risk management methodology;
- the information security risk management policy and procedures;
- the information security risk management process;
- the information security risk management stakeholders.
I will be addressing all these in next articles in this series.
NIST and ISO standards
There are important (and practically applicable) NIST guidelines and ISO standards available on information security risk management.
The main high-level ISO standard on risk management is ISO 31000 (namely ISO 31000:2009: “Risk management — Principles and guidelines”; it is currently under review).
(It belongs to the same line of ISO standards as ISO 27000 line of standards, which I touched in my previous series of articles in Komunity.)
ISO 3100 introduces the risk management cycle that is applicable to (and should be used for) information security management, independent of risk analysis methodology used. I will use this cycle to introduce information security risk management process.
But before that, let me mention also other standards and guidelines on information security risk management:
- ISO/IEC 27005: “Information technology — Security techniques — Information security risk management”;
- NIST Special Publication 800-39: “Managing Information Security Risk: Organization, Missions and Information System View”;
- NIST Special Publication 800-30 Rev 1: “Guide for Conducting Risk Assessments”.
I will come back to these standards after I describe the risk management cycle and its elements.
Let’s touch on another subject that is important and sometimes misunderstood – the notion of risk itself.
In common language, we often mix up all notions related to risk management: the risk itself, vulnerability, threat etc. We can’t do that if we want to run the risk management properly. It is not only the matter of notion mix-up. These notions are used in any risk analysis methodology and shouldn’t be mixed up, otherwise one will not be able to perform risk analysis correctly or understand and implement its results into the risk management process cycle.
ISO 31000 defines risk as “effect of uncertainty on objectives” (please remember that this standard is a high-level standard). This effect can be positive or negative, which means that in terms of this standard (and other risk-related standards, as you will see) risk is neutral. This, as can easily be seen, is not consistent with the common language, in which risk is almost always a negative notion.
I’ll come back to this definition and to the definitions o terms that are related to risk notion: vulnerability, threat etc.
In next article, I will introduce the high-level risk management cycle.
References and further reading
ISO 31000:2009: “Risk management — Principles and guidelines” (currently under review)
ISO/IEC 27005: “Information technology — Security techniques — Information security risk management”
NIST SP 800-39: “Managing Information Security Risk: Organization, Missions and Information System View”
NIST SP 800-30 Rev 1: “Guide for Conducting Risk Assessments”