ISO 27005 Risk manager Course Instructor Guide by ITpreneurs

t rin rR ep fo ot N lia er at M pl e

Certified ISO 27005

Risk Manager

release 1.0.0

INSTRUCTOR GUIDE

e Portfolio

ITpreneurs Nederland B.V. is affiliated to Veridion.

rR ep

rin

Certified ISO 27005 Risk Manager, Classroom course, release 1.0.0

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

pl e

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

Certified ISO 27005 | Risk Manager | Instructor Guide

rin

rR ep

Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

pl e

http://www.youtube.com/user/ITpreneurs

rin

his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly

m T

Certified ISO 27005 | Risk Manager | Instructor Guide

rin

Contents

rR ep

Certified ISO 27005 Risk Manager

-------------------------------------------------------------

Day 2

-------------------------------------------------------------

103

Exam Preparation Guide --------------------------------------

217

Day 1

----------------------------------------------------------------------

Appendix B: Exercises List

Appendix A: Case Study

227 235 251

Appendix D: Release Notes ---------------------------------

263

Instructor Feedback Form -----------------------------------

265

pl e

Appendix C: Correction Key for Exercises ---------------

rin

his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly

m T

Certified ISO 27005 | Risk Manager | Instructor Guide

pl e

rR ep

rin

Certified ISO 27005 Risk Manager

Day 1

rR ep

rin

Certified ISO 27005 | Risk Manager | Instructor Guide

DAY

Certified ISO 27005 Risk Manager

Content

pl e

Section 1: Course objectives and structure Section 2: Concepts and definitions of risk Section 3: Standard and regulatory framework Section 4: Implementing a risk management programme Section 5: Understanding the organization and its context Section 6: Risk identification Section 7: Risk analysis and risk evaluation Section 8: Risk assessment with a quantitative method Section 9: Risk treatment Section 10: Risk acceptance and residual risk management Section 11: Information Security Risk Communication and Consultation Section 12: Risk monitoring and review

© 2008 PECB Version 4.7 Eric Lachapelle Document number: 27005RMV4.7 Documents provided to participants are strictly reserved for training purposes and are copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including photocopy and microfilm.

Certified ISO 27005 | Risk Manager | Instructor Guide

Main standards ISO Guide 73:2009, Risk management – Vocabulary. ISO/IEC 27000:2009, Information technology — Security techniques — Information security management systems — Overview and vocabulary. ISO/IEC 27001:2005, Information Security Management Systems – Requirements. ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice for information security management. ISO/IEC 27005:2011, Information technology — Security techniques — Information security risk management. ISO 31000:2009, Risk Management – Principles and Guidelines. ISO/IEC 31010:2009, Risk management — Risk assessment techniques.

rR ep

rin

Normative references used in this training

2. Other standard references ISO 9000:2005, Quality management systems – Fundamentals and vocabulary. ISO 9001:2008, Quality management systems – Requirements. ISO 14001:2004, Environmental management systems – Requirements with guidance for use. ISO 17024:2003, Conformity assessment — General requirements for bodies operating certification of persons. OHSAS 18001:2007, Occupational Health and Safety Management Systems — Requirements. ISO/IEC 20000-1:2011, Information Technology — Service Management. Information technology — Part 1: Service management system requirements. ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems. ISO 22000:2005, Food safety management systems — Requirements for any organization in the food chain. ISO 22301:2012, Societal security — Business continuity management systems — Requirements. ISO/IEC 27003:2010, Information technology — Security techniques — Information security management system implementation guidance. ISO 28000:2007, Specification for security management systems for the supply chain.

List of acronyms and abbreviations use in this training

pl e

ANSI: American National Standards Institute BS: British Standard CERT: Computer Emergency Response Team CMS: Content Management System CobiT: Control Objectives for Business and related Technology COSO: Committee of Sponsoring Organizations of the Treadway Commission CPD: Continuing Professional Development DMS: Document Management System EDM: Electronic Document Management System EMS: Environment management system FISMA: Federal Information Security Management Act GAAS: Generally Accepted Auditing Standards GLBA: Gramm-Leach-Bliley Act HIPAA: Health Insurance Portability and Accountability Act IMS2: Integrated Implementation Methodology for Management Systems and Standards ISMS: Information security management system ISO: International Standards Organization ITIL: Information Technology Infrastructure Library LA: Lead auditor Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

rin rR ep

pl e

LI: Lead Implementer NC: Non-conformity NIST: National Institute of Standards and Technology OHSAS: Occupational Health and Safety Assessment Series OECD: Organization for Economic Co-operation and Development PCI-DSS: Payment Card Industry Data Security Standard PDCA: Plan-Do-Check-Act QMS: Quality management system PECB: Professional Evaluation and Certification Board ROI: Return on Investment ROSI: Return on Security Investment SMS: Service management system SOX: Sarbanes-Oxley Act

Certified ISO 27005 | Risk Manager | Instructor Guide

Certified ISO 27005 Risk Manager

Section 1

rin

Course objectives and structure

rR ep

a. Meet and greet b. General information c. Training objectives d. Educational approach e. Examination and certification

f. PECB

g. Schedule of the training

Activity

pl e

Meet and greet

Certified ISO 27005 | Risk Manager | Instructor Guide

rin

Name; Current position; Knowledge of and experience with risk management and information security standards as ISO 27001, ISO 27005, ISO 31000; Knowledge and experience with risk management; Course expectations and objectives.

To break the ice, participants introduce themselves stating:

rR ep

Duration of activity: 20 minutes

Use of a computer and access to the Internet

Smoking area

Use of mobile phones and recording devices

General Information

Meals

Absences

Timetable and breaks

pl e

For simplification, only the masculine is used throughout this training and is not meant to offend anyone. In case of emergency, please be aware of exits. Agree on course schedule and two breaks (be on time). Set your cell phone on vibration and if you need to take a call, please do it outside the classroom. Recording devices are prohibited because they may restrict free discussions.

Certified ISO 27005 | Risk Manager | Instructor Guide

Training Objectives

Understand the basic concepts of risk management related to information security

rR ep

rin

Acquiring Knowledge

Explain the goal, content and correlation between ISO 27005, ISO 31000 and ISO 27001 as well as with other standards and regulatory frameworks

Explain the functioning of a risk management system according to ISO 27005 and ISO 31000 to its key processes

The main objective of this training is to acquire and / or enhance the competency to participate in the implementation of a risk management programme according to ISO 27005 and ISO 31000. From an educational view, competency consists of the following 3 elements: Knowledge; Skill; Behavior (attitude).

It should be noted that the training focuses on the acquisition of knowledge in risk management related to information security and not on the acquisition of expertise on a particular methodology of risk management.

To obtain further knowledge on risk assessment methods, we recommend that you attend a practical workshop on a specific method such as OCTAVE, Mehari or EBIOS.

pl e

At the end of this course, participants will have obtained the competency on how to implement and manage a risk management program and not only on why or what to do.

Certified ISO 27005 | Risk Manager | Instructor Guide

Training Objectives

rin

Development of competencies Acquire the knowledge necessary for the implementation, management and maintenance of an ongoing risk management programme

Interpret the requirements of ISO 27001 on risk management

Acquire the skills necessary to effectively advise organizations on the best practices in Risk Management

Strengthen the personal qualities necessary to act with due professional care when implementing a risk management pr programme pr

rR ep

The objective of this training is to ensure that the candidate can actively participate in the planning and implementation of a framework for risk management according to ISO 27005 and ISO 31000 the day following the end of the training.

pl e

This training focuses on the reality of implementing a risk management programme. The case study and lessons learned are used to simulate conditions as close as possible to reality in the field. The tools and templates provided in this training are based on those currently used by several organizations.

Certified ISO 27005 | Risk Manager | Instructor Guide

Course Structure

rR ep

rin

Student oriented

This course is primarily based on: Trainer lead sessions, where questions are welcomed. Student involvement in various ways: exercises, case studies, role-plays, notes, comments, discussions (participant experiences).

Remember, this course is yours: you are the main players of its success. Students are encouraged to take additional notes.

pl e

Exercises are essential in the acquisition of the competencies necessary to allow an effective management of risk. Thus it is very important to do them conscientiously. In addition, these exercises are used to prepare students for the final exam.

Certified ISO 27005 | Risk Manager | Instructor Guide

Examination

Fundamental principles and concepts in information security risk management

Information security risk management program

Information security risk assessment

Information security risk treatment

Information security risk communication, monitoring and improvement

rR ep

rin

Competency domains

The objective of the certification examination is to ensure that auditor candidates have mastered the concepts and techniques related to risk management according to ISO 27005 and ISO 31000 so that they are able to participate in assignments.

The PECB examination committee shall ensure that the development and adequacy of the exam questions is maintained based upon current professional practice. The questions are developed and maintained by a committee of risk management specialists that are all Certified ISO 27005 Risk Manager.

The exam only contains essay questions. The duration of the exam is 2 hours. The minimum passing score is 70%.

All notes and reference documents may be used during the exam excluding the use of a computer.

pl e

The exam is available in several languages. When taking the exam, please ask the trainer or check on the PECB website to know the list of available languages.

All five competency domains are covered by the examination. To read a detailed description of each competency domain, please visit the PECB website.

Certified ISO 27005 | Risk Manager | Instructor Guide

Certified ISO 27005 Risk Manager

Pass the exam

1 2 3 4 5 6

rin

Prerequisites for Certification

rR ep

Adhere to the PECB Code of Ethics 2 years professional experience

1 years risk management experience 200 hours risk management activity

Professional references

Certified ISO 27005 Risk Manager 9

Passing the exam is not the only pre-requisite to obtain the credential of “Certified ISO 27005 Risk Manager”. This credential will endorse both the passing the exam and the validation of the professional experience records.

The set of criteria and the certification process are explained at the last day of the training.

A candidate with lesser experience can apply for the credential of “Certified ISO 27005 Provisional Risk Manager”.

pl e

Important note: Certification fees are included in the examination price. The candidate will therefore not have to pay any additional costs when applying for certification at their corresponding experience level and receive one of the other professional credentials.

Certified ISO 27005 | Risk Manager | Instructor Guide

rin

rR ep

Candidates who met all the prerequisites for eceive a certificate: ication willl rreceive certification

Certificate

After passing the exam, the candidate has a maximum period of three years to apply for one of the professional credentials related to the ISO 27005 certification scheme.

When the candidate is certified, he will receive, via electronic mail, from PECB a certificate valid for three years. To maintain his certification, the applicant must demonstrate every year that he is satisfying the requirements for the assigned credential and abiding to PECBâ&#x20AC;&#x2122;s Code of Ethics. To learn more about certificate maintenance and renewal procedure please visit PECB Website. At the end of the training, more details will be given.

pl e

An electronic version (in .PDF) course completion certificate which is valid of 21 CPD (Continuing Professional Development) credits will be issued (sent via email) to participants after the training.

Certified ISO 27005 | Risk Manager | Instructor Guide

rR ep

1. Certification of personnel (Auditor and Implementer) 2. Certification of training organizations 3. Certification of trainers

rin

Professional Evaluation and Certification Board Main services:

What is PECB?

Founded in 2005, PECB is a personnel certification body for various standards, including ISO 9001 (Quality), ISO 14001 (Environment), OHSAS 18001 (Health & Safety), ISO 20000 (IT Service), ISO 22000 (Food safety), ISO 22301 (Business continuity), ISO 26000 (Social Responsibility), ISO 27001 (Information security), ISO 27005 (Information security risk) and ISO 28000 (Supply Chain Security).

Our mission is to provide our clients with comprehensive individual examination and certification services. PECB develops, maintains and continually improves high quality recognized certification programs. PECB is accredited by ANSI under ISO/IEC 17024 (accreditation ID: 1003). PECB is the only personnel certification body certified ISO 9001 and ISO 27001.

The purpose of PECB, as stated in its Bylaws, is to develop and promote professional standards for certification and to administer credible certification programs for individuals who practice in disciplines involving the audit and the implementation of a compliant management system. This principal purpose includes: Establishing the minimum requirements necessary to qualify certified professionals; Reviewing and verifying the qualifications of applicants for eligibility to sit for the certification examinations; Developing and maintaining reliable, valid, and current certification examinations; Granting certificates to qualified candidates, maintaining certificant records, and publishing a directory of the holders of valid certificates; Establishing requirements for the periodic renewal of certification and determining compliance with those requirements; Ascertaining that certificants meet and continue to meet the PECB Code of Ethics; Representing its members, where appropriate, in matters of common interest; Promoting the benefits of certification to employers, public officials, practitioners in related fields, and the public.

pl e

Certified ISO 27005 | Risk Manager | Instructor Guide

Customer Service

rin

Comments, questions and complaints

rR ep

1. Submit a complaint

Training Provider

Participant

2. Answer in writing

4. Final arbitration

PECB

3. Appeal

In order to ensure your satisfaction and continually improve the training, examination and certification processes, PECB Customer Service has established a support ticket system for handling complaints and services for our clients.

As a first step, we invite you to discuss the situation with the trainer. If necessary, do not hesitate to contact the head of the training organization where you are registered. In all cases, we remain at your disposal to arbitrate any dispute that might arise between you and these parties.

To send comments, questions or complaints, please open a ticket on PECB’s website in the Contact Us section.

If you have suggestions for improving PECB’s training materials, we'd like to hear from you. We read and evaluate the input we get from our members. Please open a ticket directed to Training Department on PECB’s website in the Contact Us section.

pl e

In case of dissatisfaction with the training (trainer, training room, equipment,...), the examination or the certification processes, please open a ticket under “Make a complaint” category on PECB’s website in the Contact Us section.

Certified ISO 27005 | Risk Manager | Instructor Guide

rR ep

rin

QUESTIONS?

pl e

The main objective of this training is to acquire the competencies to participate in the implementation of a risk management programme according to ISO 27005 and ISO 31000. Success of the training is based on participant involvement (experience feedback, discussions, exercises, etc.). The final exam is an open-book 2-hour exam and is focused on the understanding the concepts of risk management applied to concrete cases.

Section summary:

Certified ISO 27005 | Risk Manager | Instructor Guide

Certified ISO 27005 Risk Manager

Section 2

rin

Concepts and definitions of risk

rR ep

a. Concepts of risk b. Scientific definition of risk c. Risk and statistics d. Opportunities of risk

f. Information security risk

Exercise 1

h. Advantages of Risk Management

g. The 11 principles of Risk Management

e. The perception of risk

pl e

Myths and Realities - Risk Management

Certified ISO 27005 | Risk Manager | Instructor Guide

pl e

rR ep

rin

Certified ISO 27005 Risk Manager

Day 2

103

rR ep

rin

Certified ISO 27005 | Risk Manager | Instructor Guide

DAY

Certified ISO 27005 Risk Manager

Content

pl e

Documents provided to participants are strictly reserved for training purposes and are copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including photocopy and microfilm.

104

Certified ISO 27005 | Risk Manager | Instructor Guide

Certified ISO 27005 Risk Manager

Section 6

rin

Risk identification

rR ep

a. Techniques for gathering information b. Identification of assets c. Identification of threats d. Identification of existing controls e. Identification of vulnerabilities

f. Identification of consequences

ISO 31000, clause 5.4.2: Risk identification The organization should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences. The aim of this step is to generate a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. It is important to identify the risks associated with not pursuing an opportunity. Comprehensive identification is critical, because a risk that is not identified at this stage will not be included in further analysis.

Identification should include risks whether or not their source is under the control of the organization, even though the risk source or cause may not be evident. Risk identification should include examination of the knock-on effects of particular consequences, including cascade and cumulative effects. It should also consider a wide range of consequences even if the risk source or cause may not be evident. As well as identifying what might happen, it is necessary to consider possible causes and scenarios that show what consequences can occur. All significant causes and consequences should be considered.

pl e

The organization should apply risk identification tools and techniques that are suited to its objectives and capabilities, and to the risks faced. Relevant and up-to-date information is important in identifying risks. This should include appropriate background information where possible. People with appropriate knowledge should be involved in identifying risks.

105

Certified ISO 27005 | Risk Manager | Instructor Guide

3. Risk Identification

4.2 Assessment of incident likelihood

6.1 Risk treatment options 5.1 Evaluation of levels of risk based on risk evaluation criteria

7.1 Risk treatment plan acceptance

6.2 Risk treatment plan

3.4. Identification of vulnerabilities 3.5. Identification of consequences

7. Risk Acceptance

rin

6. Risk Treatment

4.1. Assessment of consequences

3.2 Identification of threats 3.3. Identification of existing controls

5. Risk Evaluation

rR ep

3.1 Identification of assets

4. Risk Analysis

7.2 Residual risk acceptance

4.3 Level of risk determination

6.3 Evaluation of residual risk

2. Context Establishment

3. Risk Identification

1. Risk Management Programme

Risk Assessment

8. Risk Communication and Consultation

9. Risk Monitoring and Review 9 Re ie

In the risk identification phase, all potential risks should be listed in the form of scenarios. The result is the "Risk Catalog" commonly known as hazard list.

It appears that the starting point of this approach is characterized by the identification of the information assets that can be affected in respect to their integrity, confidentiality, and availability. An asset can be a machine, software, database, process, or a document as a contract and basically anything that has value for the company. It is from this list of assets that the risk analysis should be conducted to establish a risk treatment plan that is in accordance with the ISMS policy and aligned with the business expectations of the company.

The threat identification step will allow the organization to determine the threats to its Information security. At this stage, the organization selects and classifies the threats it believes that are relevant within its context.

pl e

The analysis of controls that already exist within the organization should consist of assessing the full range of potential controls and allow concluding whether the recommended strategies are advantageous to the organization.

The identification of vulnerabilities is the phase where anomalies or errors (intrinsic to the construction or during operations) are detected that could be exploited by threats to the organization. NOTE: Vulnerabilities are construction weaknesses or errors in the design (manufacturing) of a product, a service or a system. The vulnerabilities during operations are the weaknesses or errors during the putting into service or use of the product, a service or a system. At this stage, the analysis of vulnerabilities can be limited to the risk factors and risk items. Finally, it is important to consider what the effect of the threats on potentially vulnerable assets would be, not only in terms of probability or frequency of their occurrence, but also by measuring their possible effects. These consequences, depending on the circumstances and when they occur, can be negligible or catastrophic in terms of impact on the organization. The sequence and the linking of these activities will enable the organization to better assess the risks to which it is exposed. Copyright ÂŠ 2013, ITpreneurs Nederland B.V. All rights reserved.

106

Certified ISO 27005 | Risk Manager | Instructor Guide

Information Gathering Techniques Sending questionnaires to a sample of people who represent the stakeholders

Interviews

Interviews with key persons at different hierarchical levels within the organization

Documentation review

Reading and analysis of relevant documentation: internal policies, procedures, previous audit reports, legal opinions, contracts, etc.

Scanning tools

Use technical tools to detect technical vulnerabilities, establish a list of assets present on a network, perform a code review, etc.

rR ep

rin

Questionnaire surveys

pl e

The risk management team should build a detailed knowledge of risk from the collection of information obtained from multiple stakeholders. A risk assessment carried out only with computer security experts would be just as biased as if they were excluded.

107

Certified ISO 27005 | Risk Manager | Instructor Guide

Individual and Group Interview

rin rR ep

Individual

Individual interviews usually provide more accurate information and allow to have a more correct risk assessment

Interview

Group

Group interviews are more effective to establish basic criteria to reach a consensus on risk assessment, discuss treatment options, etc

Some people might question the value of detailed security questions to people without professional experience on matters of risks associated with information protection. Experience shows, however, that it is essential to ascertain the views of stakeholders, expert or not, on its exposure to the resources they manage. Those responsible for business processes will include a much more "business“ oriented view on risks, e.g. the public relations officer will indicate his concern about the risk of image damaging and reputation, etc.

Individual interview Individual interviews are preferred because one can concentrate on the risk assessment of a single person. In general, it is possible to obtain more detailed information (contrary to a group interview where each member gives his summarized opinion) and individual interviews prevent that a dominant member from the group influences the response of others (“sheep” effect).

pl e

The individual interview enables to more easily: Read the body language of the individual interviewed Identify the sensitive elements of the discussion Ensure the confidentiality of discussions with the interviewee Adjust the follow-up questions Obtain detailed information Avoid having dominant members to influence others Group interview Group interviews are more effective to establish basic criteria to reach a consensus on risk assessment, discuss treatment options, etc. between the different members of a group.

108

Certified ISO 27005 | Risk Manager | Instructor Guide

Take notes during the interview

rR ep

Ensure you cover all the subjects while controling the time

rin

Use open-ended questions and avoid close-ended or guided questions

Conducting an Interview

Ask questions to clarify a response or situation 6

Experience shows that the more you prepare an interview, the more productive the meeting will be. One strategy is to build a knowledge base of risks that can exist in an organization to take advantage of the experience of risk assessments done in the past.

pl e

During maintenance on the collection of risks on information assets, it may be useful to translate the terms related to security as "threats" and "vulnerabilities" in a language more meaningful for unskilled stakeholders. One can, for example, use the following wording: "What are you trying to avoid? Or "What do you fear may happen to the resource?"

109

Certified ISO 27005 | Risk Manager | Instructor Guide

3.1. Identification of Assets

Activities

Input

List of assets to be riskmanaged List of business processes related to assets and their relevance

rR ep

Identification of assets included in the scope

Scope and boundaries List of assets with their owners business processes Premises, etc.

Output

rin

ISO 27005, clause 8.2.2

The identification of assets must be performed at a level of detail that provides sufficient information for risk evaluation. However, the identification of assets should be limited to those that have the most important value to the organization. In some methodologies such as OCTAVE, it is suggested only to take into consideration between 5 and 10 primary assets.

pl e

The level of detail used in the identification of assets will affect the overall volume of information gathered during the risk evaluation. The level can be refined in further iterations of the risk assessment.

110

Certified ISO 27005 | Risk Manager | Instructor Guide

Asset

Definition

rin

ISO 27000, clause 2.3 and ISO 27005, annex B

Primary Asset

rR ep

Asset category

Anything that has value to the organization

Supporting Asset

Hardware Software

Information Asset

Network

Business Process

Personnel Organization's structure

Site

An asset is anything that has value to the organization and therefore needs to be protected. For the identification of assets, it should be kept in mind that an information system consists of much more than only hardware and software. ISO 27005 divides assets into two broad categories: Primary assets consist of business processes and information assets. These are the primary assets that have the most importance to take into account in the risk analysis and not the supporting assets like servers, for example.

Â&#x2021;

The supporting assets include the hardware, software, computer networks, staff, sites and organizational structures.

pl e

Â&#x2021;

111

Certified ISO 27005 | Risk Manager | Instructor Guide

Creating an Inventory of Assets

Asset type Its format

rR ep

Inventory of assets

rin

ISO 27002, clause 7.1.1

Its location Its owner

Its user license

Continuous updating and verification

Backup Information

Its value 9

The process of creating an inventory of assets is an important requirement in managing risk. The asset inventory is essential to establish an effective and appropriate protection of assets of the organization.

The inventory of assets should include all the necessary information to do the risk assessment, particularly the type of property, its size, its location, its owner, the information relating to its protection and the license and its value to the organization. If the inventory of assets consists of several registers, the unnecessary duplication of information should be avoided to ensure an alignment of the content.

The inventory of assets may also be needed for other purposes for the organization. For example, for insurance purposes or for financial reasons (accounting).

pl e

The inventory should be kept updated on an ongoing basis and be subject to an annual audit (for example, when reviewing the inventory for accounting).

112

Certified ISO 27005 | Risk Manager | Instructor Guide

rR ep

Business processes to be considered

rin

Identification of Business Processes

Supporting the organization's mission and are vital to its achievement Involves the handling of confidential information

Related to a legal and/or contractual obligations

Process: Accounting Sub-process: Manage accounts receivable, payroll, etc. Activity: Creating an invoice, monthly report writing, etc. Tasks: Checking the current address of a client, adding information into the accounting system, etc.

By establishing a mapping of business processes, the processes are split into sub-processes, activities and then finally into tasks. Some examples related to the accounting process are:

pl e

It should be noted that, to conduct a risk analysis in accordance with the recommendations of ISO 27005, an organization is not required to enter a granular level of detail that would include all the tasks associated with the analyzed process.

113

Certified ISO 27005 | Risk Manager | Instructor Guide

Main Business Processes Management of infrastructure Human Resources management Finance & accounting

Marketing

Design

Production

Sales

Distribution

Customer service

rR ep

R&D

rin

Example based upon the value chain of Porter

Supply

Packaging Research & Development

Transformation

Marketing

Manufacturing

Design

After sale services

Export

Quality control

pl e

As defined by ISO 9001, a process is a set of interrelated or interacting activities which transform the inputs into outputs. According to Michael Porter, one can distinguish among the processes involved in the value chain: Â&#x2021; The main processes, processes that contribute directly to the material creation and sale of products such as R & D, marketing, design, production, distribution and customer service. Â&#x2021; The supporting processes, processes to support the core business and form the infrastructure of the company such as infrastructure management, management of human resources, accounting and finance.

114

Certified ISO 27005 | Risk Manager | Instructor Guide

Vital to the organization so that it can achieve its mission Containing information that has economic, administrative or legal value for the organization

R&D

Subject to costs for collection, acquisition or storage

Customer data

rR ep

Patents

Information assets to be considered

rin

Identification of Information Assets

Financial Statements

An organization often has a wealth of information assets. They are not necessarily all to be analyzed. It should be limited to information assets that have economic, administrative or legal value for the organization.

To facilitate analysis, the information assets should be consolidated in groups having roughly the same features and the same classification level in terms of information security. For example, one can identify the accounting data as a single asset rather than dealing with subsets: payroll data, accounts receivable, accounts payable, bank statements, etc.

pl e

Examples of information assets that can be frequently identified as important to the organization: Employee files Customer list Strategic Plan of the organization Network Setup Patents Accounting data

115

Certified ISO 27005 | Risk Manager | Instructor Guide

Identification of Supporting Assets

Definition

Examples

All the physical elements supporting processes.

Server, laptop, printer, disk drive, CD-ROM, etc.

Software

All the programmes contributing to the data processing.

Operating system, word processing software, accounting software, etc.

Networks

All telecommunications devices used to interconnect several physically remote computers or elements of an information system.

Router, firewall, network cable, switch, bridge, etc.

Personnel

All people involved in the information system.

Owner, user, developer, trustee, client, decision maker, etc.

Sites

Physical places where the operation take place.

Desktop, server room, staff residence, secure area, air conditioning system, etc.

Organization's structure

Organizational framework, assigned to realisation of the activities

Headquarters, division, department, project teams, subcontractors, suppliers, etc.

rR ep

Hardware

rin