t rin rR ep fo ot N lia er at M pl e
Sa
m
Certified ISO 27005
Risk Manager
release 1.0.0
PARTICIPANT HANDBOOK
e Portfolio
ITpreneurs Nederland B.V. is affiliated to Veridion.
fo
Copyright Š 2013 ITpreneurs. All rights reserved.
rR ep
Copyright and Trademark Information for Partners/Stakeholders.
rin
Certified ISO 27005 Risk Manager, Classroom course, release 1.0.0
t
Copyright
N
ot
Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.
Sa
m
pl e
M
at
er
ia
l-
The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.
Certified ISO 27005 | Risk Manager | Participant Handbook
rin
t
Follow Us
rR ep
Before you start the course, please take a moment to:
“Like us” on Facebook
fo
http://www.facebook.com/ITpreneurs
“Follow us” on Twitter
N
ot
http://twitter.com/ITpreneurs
"Add us in your circle" on Google Plus
ia
l-
http://gplus.to/ITpreneurs
er
"Link with us" on Linkedin
at
http://www.linkedin.com/company/ITpreneurs
M
"Watch us" on YouTube
Sa
m
pl e
http://www.youtube.com/user/ITpreneurs
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
1
rin
t
his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly
m T
Sa
Certified ISO 27005 | Risk Manager | Participant Handbook
rin
t
Contents
rR ep
Certified ISO 27005 Risk Manager
------------------------------------------------------------
5
Day 2
------------------------------------------------------------
59
fo
Day 1
ot
Exam Preparation Guide --------------------------------------------------------------------------
N
Appendix A: Case Study
----------------------------------
l-
Appendix B: Exercises List
133 143 151 167
Appendix D: Release Notes ---------------------------------
179
Participant Feedback Form ----------------------------------
181
Sa
m
pl e
M
at
er
ia
Appendix C: Correction Key for Exercises ---------------
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
3
rin
t
his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly
m T
Sa
Certified ISO 27005 | Risk Manager | Participant Handbook
Sa
m
pl e
M
at
er
ia
l-
N
ot
fo
rR ep
rin
Certified ISO 27005 Risk Manager
t
Day 1
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
5
rR ep
1
rin
t
Certified ISO 27005 | Risk Manager | Participant Handbook
fo
DAY
l-
N
ot
Certified ISO 27005 Risk Manager
er
ia
Certified ISO 27005 Risk Manager Section 1
M
at
Course objectives and structure a. Meet and greet
pl e
b. General information c. Training objectives
Sa
m
d. Educational approach e. Examination and certification f. PECB g. Schedule of the training
2
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
6
Certified ISO 27005 | Risk Manager | Participant Handbook
Activity
N
ot
fo
rR ep
rin
t
Meet and greet
l-
3
M
at
er
ia
General Information
Use of a computer and access to the Internet
Smoking area
Sa
m
pl e
Use of mobile phones and recording devices
Timetable and breaks
Meals
Absences 4
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
7
Certified ISO 27005 | Risk Manager | Participant Handbook
Training Objectives
Understand the basic concepts of risk management related to information security
rR ep
1
rin
t
Acquiring Knowledge
Explain the goal, content and correlation between ISO 27005, ISO 31000 and ISO 27001 as well as with other standards and regulatory frameworks
3
Explain the functioning of a risk management system according to ISO 27005 and ISO 31000 to its key processes
5
l-
N
ot
fo
2
ia
Training Objectives
Acquire the knowledge necessary for the implementation, management and maintenance of an ongoing risk management programme
M
1
at
er
Development of competencies
Interpret the requirements of ISO 27001 on risk management
3
Acquire the skills necessary to effectively advise organizations on the best practices in Risk Management
4
Strengthen the personal qualities necessary to act with due professional care when implementing a risk management pr programme pr
Sa
m
pl e
2
6
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
8
Certified ISO 27005 | Risk Manager | Participant Handbook
Course Structure
ia
Examination
7
l-
N
ot
fo
rR ep
rin
t
Student oriented
Fundamental principles and concepts in information security risk management
M
1
at
er
Competency domains
Information security risk management program
Sa
m
pl e
2 3
Information security risk assessment
4
Information security risk treatment
5
Information security risk communication, monitoring and improvement 8
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
9
Certified ISO 27005 | Risk Manager | Participant Handbook
Certified ISO 27005 Risk Manager
Pass the exam
1 2 3 4 5 6
rin
t
Prerequisites for Certification
rR ep
Adhere to the PECB Code of Ethics 2 years professional experience
1 years risk management experience 200 hours risk management activity
fo
Professional references
ia
er
Certificate
9
l-
N
ot
Certified ISO 27005 Risk Manager
Sa
m
pl e
M
at
Candidates who met all the prerequisites for ication willl rreceive eceive a certificate: certification
10
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
10
Certified ISO 27005 | Risk Manager | Participant Handbook
N
ot
fo
rR ep
1. Certification of personnel (Auditor and Implementer) 2. Certification of training organizations 3. Certification of trainers
rin
Professional Evaluation and Certification Board Main services:
t
What is PECB?
l-
11
ia
Customer Service
1. Submit a complaint
M
at
er
Comments, questions and complaints
Training Provider
Participant
Sa
m
pl e
2. Answer in writing
4. Final arbitration
3. Appeal PECB
12
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
11
Certified ISO 27005 | Risk Manager | Participant Handbook
Sa
m
pl e
M
at
er
ia
l-
N
ot
fo
rR ep
rin
Certified ISO 27005 Risk Manager
t
Day 2
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
59
rR ep
2
rin
t
Certified ISO 27005 | Risk Manager | Participant Handbook
fo
DAY
l-
N
ot
Certified ISO 27005 Risk Manager
er
ia
Certified ISO 27005 Risk Manager Section 6
M
at
Risk identification
a. Techniques for gathering information
pl e
b. Identification of assets c. Identification of threats
e. Identification of vulnerabilities f. Identification of consequences
Sa
m
d. Identification of existing controls
2
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
60
Certified ISO 27005 | Risk Manager | Participant Handbook
3. Risk Identification
4.1. Assessment of consequences
3.2 Identification of threats 3.3. Identification of existing controls
6. Risk Treatment
4.2 Assessment of incident likelihood
6.1 Risk treatment options 5.1 Evaluation of levels of risk based on risk evaluation criteria
7.1 Risk treatment plan acceptance
6.2 Risk treatment plan
3.4. Identification of vulnerabilities 3.5. Identification of consequences
7. Risk Acceptance
rin
5. Risk Evaluation
rR ep
3.1 Identification of assets
4. Risk Analysis
7.2 Residual risk acceptance
4.3 Level of risk determination
6.3 Evaluation of residual risk
fo
2. Context Establishment
3. Risk Identification
t
1. Risk Management Programme
Risk Assessment
ot
8. Risk Communication and Consultation
3
l-
N
9. Risk Monitoring and Review 9 Re ie
er
ia
Information Gathering Techniques Sending questionnaires to a sample of people who represent the stakeholders
M
at
Questionnaire surveys
Sa
m
pl e
Interviews
Interviews with key persons at different hierarchical levels within the organization
Documentation review
Reading and analysis of relevant documentation: internal policies, procedures, previous audit reports, legal opinions, contracts, etc.
Scanning tools
Use technical tools to detect technical vulnerabilities, establish a list of assets present on a network, perform a code review, etc.
4
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
61
Certified ISO 27005 | Risk Manager | Participant Handbook
Individual and Group Interview
rin rR ep
Individual
t
Individual interviews usually provide more accurate information and allow to have a more correct risk assessment
Interview
Group
5
l-
N
ot
fo
Group interviews are more effective to establish basic criteria to reach a consensus on risk assessment, discuss treatment options, etc
er
ia
Conducting an Interview
M
at
Use open-ended questions and avoid close-ended or guided questions
Take notes during the interview
Sa
m
pl e
Ensure you cover all the subjects while controling the time
Ask questions to clarify a response or situation 6
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
62
Certified ISO 27005 | Risk Manager | Participant Handbook
3.1. Identification of Assets
Input
Activities
List of assets to be riskmanaged List of business processes related to assets and their relevance
rR ep
Identification of assets included in the scope
N
ot
fo
Scope and boundaries List of assets with their owners business processes Premises, etc.
Output
rin
t
ISO 27005, clause 8.2.2
l-
7
ia
Asset
er
ISO 27000, clause 2.3 and ISO 27005, annex B
at
Definition
Asset category
Sa
m
pl e
M
Anything that has value to the organization Primary Asset
Supporting Asset Hardware Software
Business Process
Information Asset
Network Personnel Site Organization's structure
8
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
63
Certified ISO 27005 | Risk Manager | Participant Handbook
Creating an Inventory of Assets
Asset type Its format
rR ep
Inventory of assets
rin
t
ISO 27002, clause 7.1.1
Its location Its owner
Its user license
fo
Continuous updating and verification
Backup Information
9
l-
N
ot
Its value
Business processes to be considered Supporting the organization's mission and are vital to its achievement Involves the handling of confidential information Related to a legal and/or contractual obligations
Sa
m
pl e
M
at
er
ia
Identification of Business Processes
10
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
64
Certified ISO 27005 | Risk Manager | Participant Handbook
Main Business Processes Management of infrastructure Human Resources management Finance & accounting
Marketing
Design
Production
Sales
Distribution
Customer service
rR ep
R&D
rin
t
Example based upon the value chain of Porter
Supply
Packaging Research & Development
Transformation
After sale services
Export Manufacturing
Design
fo
Marketing
N
ot
Quality control
l-
11
at
er
ia
Identification of Information Assets
Patents
M
Information assets to be considered
pl e
Vital to the organization so that it can achieve its mission
Sa
m
Containing information that has economic, administrative or legal value for the organization Subject to costs for collection, acquisition or storage
R&D
Customer data
Financial Statements
12
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
65
Certified ISO 27005 | Risk Manager | Participant Handbook
Identification of Supporting Assets
Definition
Examples
All the physical elements supporting processes.
Server, laptop, printer, disk drive, CD-ROM, etc.
Software
All the programmes contributing to the data processing.
Operating system, word processing software, accounting software, etc.
Networks
All telecommunications devices used to interconnect several physically remote computers or elements of an information system.
Router, firewall, network cable, switch, bridge, etc.
Personnel
All people involved in the information system.
Owner, user, developer, trustee, client, decision maker, etc.
Sites
Physical places where the operation take place.
Desktop, server room, staff residence, secure area, air conditioning system, etc.
Organization's structure
Organizational framework, assigned to realisation of the activities
Headquarters, division, department, project teams, subcontractors, suppliers, etc.
N
ot
fo
rR ep
Hardware
rin
Category
t
Categories
l-
13
ia
Primary and Supporting Assets Information
Hardware
Software
Personnel
R&D
Patents
Server
CRM
Marketing Specialist
Sales
Customer data
Laptop
Word processing
Network Administrator
Design
Marketing Research Report
External Drive
Excel
Database Manager
Production
Financial Statements
Network
Production Simulation
Finance Director
Accounting
Source Code
Printer
Accounting
Sales Representative
Sa
m
pl e
M
at
Process
er
Examples of links
14
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
66
Certified ISO 27005 | Risk Manager | Participant Handbook
Identification of the Asset Owners
rR ep
z The asset owner does not necessarily has property rights over the asset but he has the responsibility for its production, development, maintenance, operation and its security
rin
z An owner must be identified for each asset, to take responsibility and traceability of assets
t
ISO 27001, clause A.7.1.2
15
Sa
m
pl e
M
at
er
ia
l-
N
ot
fo
z The owner is often the person best suited to determine the value of the asset for the organization
Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.
67