SlideShare a Scribd company logo

The importance of information security risk management

Michael Francis
Michael Francis

Vigilant Software discusses the importance of ISO27001 and ISO27005, including the business benefits of information security risk assessments.

TechnologyBusinessEconomy & Finance
1 of 25
Download to read offline
The Importance of Risk Management Alan Calder CEO, Vigilant Software Thursday March 7th PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING. Q&A IS HANDLED THROUGH A COMBINATION OF WEBEX CHAT/TEXT AND VOICE “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Alan Calder • CEO and founder of Vigilant Software • Acknowledged information security/risk management thought leader • Managed the world’s first successful ISO27001 (then BS7799) implementation project in 1996 • Frequent media commentator on risk management issues • Co-author of vsRisk™ – the definitive cybersecurity risk assessment tool “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Today’s Webinar in Context • Today’s webinar is #2 in an educational series. • The 4 webinars are designed to take you on a learning journey: • Webinar 1 - Why ISO 27001 for my Organisation? • Webinar 2 (Today) – The Importance of risk management. • Webinar 3 – Carrying out a risk assessment using vsRisk. • Webinar 4 – Maintaining/updating your risk assessment using vsRisk. Registration details of future webinars at the end. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Today’s Agenda • A short 20-30 minutes educational and informative talk: • Quick recap of last week’s webinar – Why ISO 27001 for my Organisation? • The importance of risk management. • Ample time for Q&A. • Next steps. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Recap – last week’s webinar In last week’s webinar we covered: • What is information security? • What is an information security management system (ISMS)? • What is ISO 27001? • Why should I and my organisation care about ISO 27001? “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Information Security Terms and Phrases Information security: preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non- repudiation, and reliability can also be involved Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity: the property of safeguarding the accuracy and completeness of assets Availability: the property of being accessible and usable upon demand by an authorized entity Asset: anything that has value to the organization “The definitive risk assessment tool for ISO27001 certification” 6 Copyright © Vigilant Software Ltd 2013
What is a Risk? A risk exists where there is an identifiable likelihood of an identified threat exploiting an identified vulnerability in relation to the confidentiality, availability or integrity of an asset, and where that compromise will have a quantifiable impact on the organisation. Without likelihood and impact, there is no risk. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
What is a risk assessment? • A risk assessment is the core competence of information security management. • ISO 27001 explicitly asks for: • a risk assessment to be carried out before any controls are selected and implemented. • every control to be justified by a risk assessment. • Plan-do-check-act model. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Plan-Do-Check-Act “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
What is a risk assessment? • The risk assessment must: • Identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of each asset within a scope. • This must be done from a business, compliance or contractual perspective. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Benefits of risk assessment? • Spend on controls is balanced against business harm likely to result from security failures. • Existing over-expenditure can be re-allocated to areas of weakness • Information security management decisions are entirely made by the outcomes from a risk assessment – so they are objective “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Assets Threats Vulnerabilities Analysis Risks Treatment Countermeasures/Safeguards Identification and implementation “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Risk Management: Asset Documentation Produce inventory of all assets: All physical computing resources (computers, servers, PDAs, etc.) Buildings Telephones, mobile phones Storage facilities Information assets: databases, documentation, blueprints People Maintain Asset Register! Control Cat. A.7 is Asset Management: consider when preparing for risk assessment. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Risk Management: Asset Management • Responsibility for assets. • Information classification. • Sensitivity guidelines. • Sensitivity labelling. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Risk Assessment - Objective To inform a proper balance of safeguards against risk of failing to meet business objectives. • For a given exposure, removal of safeguards will increase the risk of loss. • Too many safeguards could make the security system too expensive/bureaucratic. • Method by which expenditure on security and contingency can be justified. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Risk assessment • Define approach. • Comparable and reproducible. • Develop criteria for acceptance of risk and identifying acceptable level of risk. • Risk Acceptance Criteria “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Treatment of Risk After completing analysis of risk, you need to decide how to manage it. Treatment of risk. • Accept? (Criteria already developed). • Eliminate the risk by work around or other arrangements. • Control the risk to bring it to an acceptable level. • Transfer it to a third party (e.g. via insurance). Then select controls. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Safe and Secure - The Importance of Risk Management • An Information Security Management System (ISMS) will help your organisation to become ISO 27001 certified. • This certification will tell your potential customers, employees and partners that your information systems are safe and secure. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Safe and secure – so what? • It’s not your word – your information systems are safe and secure to a recognisable, externally audited, international standard. • Tells existing and potential customers, employees and partners, as well as regulators that you have defined and put in place effective information security processes, thus helping create a trusting relationship. • You are good to do business with! “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Summary • Information Security risk analysis is a difficult task involving experience and knowledge of the environment being analysed. • A number of risk analysis and management methods have been proposed for both commercial and government sectors: These methods are currently available either in the form of guidelines to be applied manually or as software packages. • There are tools to help – vsRisk demoed in next week’s webinar. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Next Steps – Upcoming Educational Webinars • Webinar 3 – Carrying out a Risk Assessment using vsRisk - Thursday March 14th, 4pm UK Time. • Webinar 4 - Maintaining and Updating your Risk Assessment using vsRisk - Thursday March 21st, 4pm UK Time. • Register for both/either at http://www.vigilantsoftware.co.uk/webinars.aspx “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Before the next webinars… Read a book… Download a free trial of vsRisk Read the world's first practical e-book The cyber security risk assessment guidance on achieving ISO 27001 tool compliant to ISO 27001 that certification and the nine automates and accelerates the risk essential steps to an effective ISMS management process. implementation. 15-day free trial at Available for £29.95 at http://www.vigilantsoftware.co.uk http://www.vigilantsoftware.co.uk/pr oduct/1651.aspx “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Next Steps – Special March offer of risk assessment software vsRisk • Purchases of vsRisk in March will include for free the information security risk management standard, ISO 27005 (worth £100) and a copy of the book Information Security Risk Management for ISO 27001/ISO 27002 (worth £39.95). • To claim this offer, please visit www.vigilantsoftware.co.uk. • Offer valid until Thursday March 28th. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Next Steps – Want to know more? If you would like to know more about ISO 27001, including how to carry out an ISO 27001-compliant risk assessment, please visit http://www.vigilantsoftware.co.uk or email servicecentre@vigilantsoftware.co.uk. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
Questions – we welcome them all! Please type your questions into the Webex chat window – responses will generally be verbal and shared with all delegates. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013

Recommended

Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
What is firewall
What is firewallWhat is firewall
What is firewallHarshana Jayarathna
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Firewall and vpn
Firewall and vpnFirewall and vpn
Firewall and vpnJoseph Sebastian
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security PresentationPraphullaShrestha1
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Network security
Network securityNetwork security
Network securityNandini Raj
 

Recommended

Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
What is firewall
What is firewallWhat is firewall
What is firewallHarshana Jayarathna
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Firewall and vpn
Firewall and vpnFirewall and vpn
Firewall and vpnJoseph Sebastian
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security PresentationPraphullaShrestha1
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Network security
Network securityNetwork security
Network securityNandini Raj
 
Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak Deepak Khari
 
Firewall
FirewallFirewall
FirewallApo
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
Cybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresCybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresAditya Ratnaparkhi
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2DallasHaselhorst
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesSlideTeam
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksdinCloud Inc.
 
Computer security risks
Computer security risksComputer security risks
Computer security risksAasim Mushtaq
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Managementn|u - The Open Security Community
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdflamtran367679
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365Netskope
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & PhishingGrittyCC
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 
The Importance of Risk Management
The Importance of Risk ManagementThe Importance of Risk Management
The Importance of Risk ManagementVigilant Software
 
Using vsRisk to carry out a risk assessment
Using vsRisk to carry out a risk assessmentUsing vsRisk to carry out a risk assessment
Using vsRisk to carry out a risk assessmentMichael Francis
 

More Related Content

What's hot

Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak Deepak Khari
 
Firewall
FirewallFirewall
FirewallApo
 
Cybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresCybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresAditya Ratnaparkhi
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2DallasHaselhorst
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesSlideTeam
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksdinCloud Inc.
 
Computer security risks
Computer security risksComputer security risks
Computer security risksAasim Mushtaq
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365Netskope
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & PhishingGrittyCC
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 

What's hot (20)

Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak
 
Firewall
FirewallFirewall
Firewall
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Firewall
FirewallFirewall
Firewall
 
Cybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresCybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive Measures
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
 
Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdf
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & Phishing
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security Definition
 

Similar to The importance of information security risk management

The Importance of Risk Management
The Importance of Risk ManagementThe Importance of Risk Management
The Importance of Risk ManagementVigilant Software
 
Using vsRisk to carry out a risk assessment
Using vsRisk to carry out a risk assessmentUsing vsRisk to carry out a risk assessment
Using vsRisk to carry out a risk assessmentMichael Francis
 
Why ISO27001/ISO27005 for my organisation
Why ISO27001/ISO27005 for my organisationWhy ISO27001/ISO27005 for my organisation
Why ISO27001/ISO27005 for my organisationMichael Francis
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMichael Francis
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskVigilant Software
 
vsRisk - features and benefits.ppt
vsRisk - features and benefits.pptvsRisk - features and benefits.ppt
vsRisk - features and benefits.pptscribdJobAN
 
8 requirements to get iso 27001 certification in sri lanka
8 requirements to get iso 27001 certification in sri lanka8 requirements to get iso 27001 certification in sri lanka
8 requirements to get iso 27001 certification in sri lankaAnoosha Factocert
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud SecurityIT Governance Ltd
 
Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsLars Neupart
 
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...Tromenz Learning
 
iso 27001 certification
iso 27001 certificationiso 27001 certification
iso 27001 certificationdenieljulian79
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NA Putra
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...PECB
 

Similar to The importance of information security risk management (20)

The Importance of Risk Management
The Importance of Risk ManagementThe Importance of Risk Management
The Importance of Risk Management
 
Using vsRisk to carry out a risk assessment
Using vsRisk to carry out a risk assessmentUsing vsRisk to carry out a risk assessment
Using vsRisk to carry out a risk assessment
 
Why ISO27001/ISO27005 for my organisation
Why ISO27001/ISO27005 for my organisationWhy ISO27001/ISO27005 for my organisation
Why ISO27001/ISO27005 for my organisation
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRisk
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRisk
 
vsRisk - features and benefits.ppt
vsRisk - features and benefits.pptvsRisk - features and benefits.ppt
vsRisk - features and benefits.ppt
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security Management
 
8 requirements to get iso 27001 certification in sri lanka
8 requirements to get iso 27001 certification in sri lanka8 requirements to get iso 27001 certification in sri lanka
8 requirements to get iso 27001 certification in sri lanka
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud Security
 
Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessments
 
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
 
iso 27001 certification
iso 27001 certificationiso 27001 certification
iso 27001 certification
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...
 
Iso 27001 Audit Evidence Acquisition
Iso 27001 Audit Evidence AcquisitionIso 27001 Audit Evidence Acquisition
Iso 27001 Audit Evidence Acquisition
 
Iso 27001 isms
Iso 27001 ismsIso 27001 isms
Iso 27001 isms
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

The importance of information security risk management

  • 1. The Importance of Risk Management Alan Calder CEO, Vigilant Software Thursday March 7th PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING. Q&A IS HANDLED THROUGH A COMBINATION OF WEBEX CHAT/TEXT AND VOICE “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 2. Alan Calder • CEO and founder of Vigilant Software • Acknowledged information security/risk management thought leader • Managed the world’s first successful ISO27001 (then BS7799) implementation project in 1996 • Frequent media commentator on risk management issues • Co-author of vsRisk™ – the definitive cybersecurity risk assessment tool “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 3. Today’s Webinar in Context • Today’s webinar is #2 in an educational series. • The 4 webinars are designed to take you on a learning journey: • Webinar 1 - Why ISO 27001 for my Organisation? • Webinar 2 (Today) – The Importance of risk management. • Webinar 3 – Carrying out a risk assessment using vsRisk. • Webinar 4 – Maintaining/updating your risk assessment using vsRisk. Registration details of future webinars at the end. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 4. Today’s Agenda • A short 20-30 minutes educational and informative talk: • Quick recap of last week’s webinar – Why ISO 27001 for my Organisation? • The importance of risk management. • Ample time for Q&A. • Next steps. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 5. Recap – last week’s webinar In last week’s webinar we covered: • What is information security? • What is an information security management system (ISMS)? • What is ISO 27001? • Why should I and my organisation care about ISO 27001? “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 6. Information Security Terms and Phrases Information security: preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non- repudiation, and reliability can also be involved Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity: the property of safeguarding the accuracy and completeness of assets Availability: the property of being accessible and usable upon demand by an authorized entity Asset: anything that has value to the organization “The definitive risk assessment tool for ISO27001 certification” 6 Copyright © Vigilant Software Ltd 2013
  • 7. What is a Risk? A risk exists where there is an identifiable likelihood of an identified threat exploiting an identified vulnerability in relation to the confidentiality, availability or integrity of an asset, and where that compromise will have a quantifiable impact on the organisation. Without likelihood and impact, there is no risk. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 8. What is a risk assessment? • A risk assessment is the core competence of information security management. • ISO 27001 explicitly asks for: • a risk assessment to be carried out before any controls are selected and implemented. • every control to be justified by a risk assessment. • Plan-do-check-act model. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 9. Plan-Do-Check-Act “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 10. What is a risk assessment? • The risk assessment must: • Identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of each asset within a scope. • This must be done from a business, compliance or contractual perspective. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 11. Benefits of risk assessment? • Spend on controls is balanced against business harm likely to result from security failures. • Existing over-expenditure can be re-allocated to areas of weakness • Information security management decisions are entirely made by the outcomes from a risk assessment – so they are objective “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 12. Assets Threats Vulnerabilities Analysis Risks Treatment Countermeasures/Safeguards Identification and implementation “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 13. Risk Management: Asset Documentation Produce inventory of all assets: All physical computing resources (computers, servers, PDAs, etc.) Buildings Telephones, mobile phones Storage facilities Information assets: databases, documentation, blueprints People Maintain Asset Register! Control Cat. A.7 is Asset Management: consider when preparing for risk assessment. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 14. Risk Management: Asset Management • Responsibility for assets. • Information classification. • Sensitivity guidelines. • Sensitivity labelling. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 15. Risk Assessment - Objective To inform a proper balance of safeguards against risk of failing to meet business objectives. • For a given exposure, removal of safeguards will increase the risk of loss. • Too many safeguards could make the security system too expensive/bureaucratic. • Method by which expenditure on security and contingency can be justified. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 16. Risk assessment • Define approach. • Comparable and reproducible. • Develop criteria for acceptance of risk and identifying acceptable level of risk. • Risk Acceptance Criteria “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 17. Treatment of Risk After completing analysis of risk, you need to decide how to manage it. Treatment of risk. • Accept? (Criteria already developed). • Eliminate the risk by work around or other arrangements. • Control the risk to bring it to an acceptable level. • Transfer it to a third party (e.g. via insurance). Then select controls. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 18. Safe and Secure - The Importance of Risk Management • An Information Security Management System (ISMS) will help your organisation to become ISO 27001 certified. • This certification will tell your potential customers, employees and partners that your information systems are safe and secure. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 19. Safe and secure – so what? • It’s not your word – your information systems are safe and secure to a recognisable, externally audited, international standard. • Tells existing and potential customers, employees and partners, as well as regulators that you have defined and put in place effective information security processes, thus helping create a trusting relationship. • You are good to do business with! “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 20. Summary • Information Security risk analysis is a difficult task involving experience and knowledge of the environment being analysed. • A number of risk analysis and management methods have been proposed for both commercial and government sectors: These methods are currently available either in the form of guidelines to be applied manually or as software packages. • There are tools to help – vsRisk demoed in next week’s webinar. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 21. Next Steps – Upcoming Educational Webinars • Webinar 3 – Carrying out a Risk Assessment using vsRisk - Thursday March 14th, 4pm UK Time. • Webinar 4 - Maintaining and Updating your Risk Assessment using vsRisk - Thursday March 21st, 4pm UK Time. • Register for both/either at http://www.vigilantsoftware.co.uk/webinars.aspx “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 22. Before the next webinars… Read a book… Download a free trial of vsRisk Read the world's first practical e-book The cyber security risk assessment guidance on achieving ISO 27001 tool compliant to ISO 27001 that certification and the nine automates and accelerates the risk essential steps to an effective ISMS management process. implementation. 15-day free trial at Available for £29.95 at http://www.vigilantsoftware.co.uk http://www.vigilantsoftware.co.uk/pr oduct/1651.aspx “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 23. Next Steps – Special March offer of risk assessment software vsRisk • Purchases of vsRisk in March will include for free the information security risk management standard, ISO 27005 (worth £100) and a copy of the book Information Security Risk Management for ISO 27001/ISO 27002 (worth £39.95). • To claim this offer, please visit www.vigilantsoftware.co.uk. • Offer valid until Thursday March 28th. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 24. Next Steps – Want to know more? If you would like to know more about ISO 27001, including how to carry out an ISO 27001-compliant risk assessment, please visit http://www.vigilantsoftware.co.uk or email servicecentre@vigilantsoftware.co.uk. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013
  • 25. Questions – we welcome them all! Please type your questions into the Webex chat window – responses will generally be verbal and shared with all delegates. “The definitive risk assessment tool for ISO27001 certification” Copyright © Vigilant Software Ltd 2013