Using ISO 27005 to establish and manage Enterprise Risk Management (ERM)

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

Risk assessment and management provides the foundation for internal controls management, as well as business continuity and disaster recovery management. After all, the Information Security Management System and the Business Continuity Management System exist purely to manage risk. This means that an ISMS and a BCMS can only be a good as the organization's ability to create, authorize, and practice a single consistent approach to assessing and treating risks. The ISO/IEC 27001 certification of an organization's Information Security Management System (ISMS) requires that all security methods and controls must be driven by risk assessment as defined in an organization's formal documented risk management methodology. BS 25999-2 certification of an organization's Business Continuity Management System (BCMS) requires the same.

ISO 27005 provides guidelines for information security and operational risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO 27005. ISO 27005 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security. As an internationally accepted best practice guideline for developing a solid risk management methodology that is fit-for-purpose for the organization, ISO 27005 can also ensure fulfillment of BS 25999's requirements for such a risk management capability.

The problem with many organizations is that the very people who should be leading or performing risk assessment have never been sufficiently trained to be able to do the job properly. Risk assessment and management is complex - complex enough to have its own ISO/IEC standard! Certified Information Security provides the training and credentialing you need to become recognized as an authority in leading or facilitating risk assessment and management according to the ISO 27005 Standard.

What the ISO 27005 Standard is...

ISO 27005 provides guidelines for information security and operational risk management. It supports the general concepts specified in ISO 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO 27001 and ISO 27002 is important for a complete understanding of ISO 27005. ISO 27005 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

What the 27001 Standard is...

Published in 2005, ISO/IEC 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO 27001 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

It is intended to be suitable for several different types of use, including the following:

• use within organizations to formulate security requirements and objectives;
• use within organizations as a way to ensure that security risks are cost effectively managed;
• use within organizations to ensure compliance with laws and regulations;
• use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
• definition of new information security management processes;
• identification and clarification of existing information security management processes;
• use by the management of organizations to determine the status of information security management activities;
• use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
• use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
• implementation of business-enabling information security;
• use by organizations to provide relevant information about information security to customers.

What the 27002 Standard is...

As the former ISO 17799, ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002 contains best practices of control objectives and controls in the following areas of information security management:

• security policy;
• organization of information security;
• asset management;
• human resources security;
• physical and environmental security;
• communications and operations management;
• access control;
• information systems acquisition, development and maintenance;
• information security incident management;
• business continuity management;
• compliance.

Tying the Standards together...

Basically, ISO 27001 provides 1.) a framework for an information security management program within the organization (an information security management system, or "ISMS"); and 2.) an auditable specification whereby an organization can have its ISMS certified. ISO 27002 is actually the former ISO 17799 that was originally established in 2000. It provides many of the information security best practices, control objectives, and policy guidance we need to run within the afore-mentioned ISO 27001 information security management system. Because all information security analysis, controls, and processes are essentially a product of risk management, ISO 27005 provides the framework for how to apply proper risk management within the 27001/27002/27003 ISMS.

Who are these standards for?

The standards are applicable to all sectors of industry and commerce and is not confined to information held on computers. It addresses the security of information in whatever form it is held.

Exploring the use of ISO 27005, this course provides critical information for understanding the business drivers for using internal controls to manage operational risk, as well as the core concepts for planning and implementing a formal risk management methodology according to the internationally accepted best practices.

Covered topics include:

• Learn how to prepare the organization to properly manage operational risks
• Compare and contrast ISO 27005, ISO 31000, and COSO risk management approaches
• Establish risk context criteria for risk evaluation, business impact, and risk acceptance
• Learn how to properly scope your risk management program
• Establish formal roles and responsibilities to manage operational risk throughout the enterprise
• Learn how to perform professional risk assessment by properly identifying risks, assets, threats, existing controls, vulnerabilities, existing controls, and consequences
• Create a "fit-for-purpose" risk analysis methodology that is custom-suited to your organization
• Learn how to use incident consequence and likelihood to define composite risk levels
• Learn to evaluate assessed risks
• Learn how to properly combine risk treatment alternatives
• Establish your organization's risk treatment plan acceptance process
• Learn how to embed risk management throughout the enterprise using proper risk communication and consultation
• Establish your organization's requirements for ongoing risk monitoring and review

This is a business seminar focusing on how to manage operational and information risk throughout the organization.

There are no prerequisite requirements for attendance. Prior business is experience is highly recommended.

- or-