ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification
One of the most significant changes in the 2013 version of ISO 27001, a worldwide standard for Information Security Management Systems, is that it does not prescribe any approach in the risk assessment anymore. While it still requires the adoption of a process-based risk assessment approach (learn more here: ISO 27001 risk assessment treatment – 6 basic steps), the obligation to use an asset-threat-vulnerability model in the risk identification step no longer exists.
While this approach in the standard provides more freedom for organizations to choose the risk identification approach that better fits their needs, the absence of such orientation is the source of a lot of confusion for organizations about how to approach risk identification. In this article, I will talk about how ISO 31010 (a standard focused on risk assessment) can help you, by presenting some of its risk identification approaches that can be used to find, recognize, and describe risks in a way that is compliant with ISO 27001.
The risk identification step
According to ISO 31010:2012 – Risk management — Risk assessment techniques, the purpose of risk identification is to identify what could happen, or which situations could exist, that may affect the achievement of proposed objectives. Considering information security, some practical examples are:
- a power surge may cause a storage unit to fail, leading to data loss;
- lack of attention may cause an employee to send a report to the wrong person, leading to unauthorized information disclosure;
- a change in environmental conditions may cause a device to make erroneous readings, leading to compromise of data integrity.
Once a risk is identified, the organization should also identify any existing controls affecting that risk, and proceed to the next steps of the risk assessment (risk analysis and risk evaluation).
Risk identification methodologies
To be of use, a risk description must contain some elements:
- risk sources: elements in the scenario that, isolated or combined, have the potential to affect the expected results (e.g., the electricity to power the storage unit)
- event: a specific set of circumstances (e.g., the storage unit failure)
- cause: the initial condition that starts the event (e.g., the power surge)
- consequence: the result of the event affecting the objective (e.g., the data loss, affecting the information availability)
By using a methodology to identify risks, you increase the chances of identifying all these items, either by gathering verifiable evidence, applying expert knowledge, or any other structured way. Considering this, and the risk identification methodologies presented by ISO 31010, I can highlight these risk identification methodologies:
Brainstorming: a group creativity technique for collecting a large amount of information to find a conclusion for a specific situation. Because of its strong emphasis in imagination, it is useful to identify risks in situations that require quick response and have few formal data available (e.g., selection of less harmful measures to contain an ongoing attack), or are new to the organization, like risks involving the entrance in a new market segment.
Interview: a conversation where pre-defined questions are presented to an interviewee to understand his perception of a given situation (e.g., market trends, processes performance, product expectations, etc.), and by that identify risks considering his perspective. It is recommended when detailed particular opinions are required (e.g., from the CEO, CFO, clients, etc.).
Delphi method: an anonymous collaborative technique used to combine different expert opinions in a reliable and unbiased way toward a consensus (e.g., selecting a security supplier, defining a protection strategy). It differs from brainstorming because it works to eliminate solutions during its realization, instead of creating ones. It should be considered in situations where the characteristics of participants may affect the opinions of others (e.g., all agree/disagree with someone just because of his position).
Checklist: a technique where a list of items is elaborated to ensure that the most common topics, as well as the critical ones, on the subject matter are not forgotten during risk identification (e.g., common failures in software development, or protections required by contract). This increases the consistency and completeness of risk identification. Its use is recommended in cases where historical information, market references, and knowledge of previous situations are widely available.
Scenario analysis: methodology that uses models describing possible future scenarios to identify risks considering possible outcomes, strategies and actions leading to the outcomes, and possible implications to the business. A common approach in information security is, e.g., the use of permissive, restrictive, and balanced scenarios to identify risks in access control. It should be considered in situations where multiple solutions are available or results can present great variation.
What about the asset-threat-vulnerability approach?
Although asset-based methodology is not mandatory in the ISO 27001:2013 standard, it still is a valid approach. Organizations that have already implemented and deemed this approach appropriate for their purposes can continue to use it normally. The main aspect to its adoption is the availability of a reliable asset database (learn more here: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities).
There is no silver bullet in risk identification
For several years, the asset-threat-vulnerability risk identification model has ruled the risk assessment process. In my opinion, this is more because it was explicitly mentioned in the ISO 27001:2005 revision, rather than the effectiveness of its application in any situation. And, I think different approaches might take over in time.
Risk identification is a complex activity, depending on many elements to achieve useful results. By proper identification of tools that can take the most advantage of the situation and the available information, your organization can focus on risks that really matter to its business and results, applying resources in a more efficient way.
To know more about risk identification and risk assessment process, try this free webinar: The basics of risk assessment and treatment according to ISO 27001.