GRC Information Security - Governance, Risk Manager and Compliance Management

Comparison between ISO 31000 and ISO 27005 risk management processes

by Geraldo Ferreira

Organizations of different sizes and types face both internal and outside influences that can make it uncertain whether or not they will be able to accomplish their objectives. The impact of this uncertainty over a company’s goals is called “risk”. In order to effectively address this issue, two international standards stand out in the risk management space, both of which provide crucial information for performing activities.

The first of these is ISO 31000. With its launch anticipated in October of this year, this norm will serve as a master standard for each and every risk management standard. Because of its general context, it provides overall guidelines to any area of risk management (i.e., finance, engineering, security, among others). Although most organizations already have a defined methodology in place to manage risks, this new standard defines a set of principles that must be followed in order to ensure the effectiveness of risk management. It suggests that companies should continually develop, implement, and improve a framework whose goal is to integrate the process for managing risks associated with governance, strategy, and planning, as well as management, the reporting of data and results, policies, values and culture throughout the entire organization.

The other is ISO 27005. Part of the ISO 27000 since 2008, this standard establishes risk management best practices specifically geared towards risk management for information security, particularly with regards to complying with the requirements of an Information Security Management System (ISMS), as mandated by ABNT NBR ISO/IEC 27001. It establishes that risk management best practices should be defined in accordance with the characteristics of the organization, taking into account the scope of its ISMS, the risk management context, as well as its industry. According to the framework described in this standard for implementing the requirements of ISMS, several different methodologies may be used and different approaches to risk management as it relates to information security may are introduced in the appendix of the document.

Risk Management Best Practices for ISO 31000

Although ISO 31000 depicts the management process more thoroughly, and has differing terms and expressions, both standards address the risk management process in a similar fashion.

According to ISO 31000, organizations typically determine the context and manage risk by identifying it, analyzing it, and subsequently assessing whether the risk should be modified by a strategic approach so as to comply with its risk criteria. Throughout this entire process, these organizations must communicate and consult with stakeholders, while critically monitoring and analyzing the risk and controls that modify it, so as to ensure that no additional risk management approach will be required (see the flow in Figure 1).

Risk Management Best Practices for ISO 27005

As for ISO 27005, risk management as it relates to information security should define the context, evaluate the risks, and address them through a plan, in order to implement the recommendations and decisions. Risk management analyzes the potential events and its consequences prior to deciding what to do and when to do it, so as to reduce risks to an acceptable level. Additionally, the standard includes decisions on the analysis and treatment of risks (illustrated by the two decision points in Figure 2), since risk acceptance activities will ensure that residual risks be explicitly accepted by company management. This is particularly important in situations where control implementation is either omitted or postponed, for example, because of cost.

 

 

Although risk management best practices have been developed through time in order to meet specific needs in many areas and industries through the use of distinct methodologies, the adoption of consistent processes within an overarching structure may help ensure that risks are efficiently, effectively, and coherently managed throughout the organization.  ISO 31000 is the parent standard, which provides the overall guidelines and principles to manage any type of risk in a systemic, transparent, and reliable manner, within any scope and context; whereas, ISO270005 is the specialized standard that complements the parent by providing the best practices for managing the risks related to information security.

 

Maintain Risk Management Best Practices with Modulo Risk Manager™

Modulo Risk Manager™ recommends Modulo’s proprietary GRC Metaframework™ methodology, while complying with the guidelines defined by both ISO 31000 and ISO 27005 (see Table 1). It provides a systemic and structured process for analyzing and evaluating risk, and lays out a plan for addressing risk management more appropriately in any given business domain. For example, its regular use will allow organizations to:

 

• Accomplish your objectives;
• Encourage proactive risk management;
• Identify and address organizational risks;
• Identify opportunities and threats;
• Adhere to international standards, legal and regulatory requirements;
• Enable the reporting of information;
• Improve governance;
• Reinforce trust amongst stakeholders;
• Provide a reliable basis for decision making and planning;
• Improve controls;
• Effectively allocate and utilize the resources involved in risk management;
• Improve operational efficiency and effectiveness;
• Improve loss prevention and incident management;
• Mitigate losses;
• Improve organizational learning; and
• Enhance organizational resilience and sustainability.

For more information on how Modulo Risk Manager meets and exceeds risk management best practices, contact Modulo today.

By Doug Williams

Today CIO and CSOs are facing more and more regulations and an ever broadening compliance landscape.  Depending on the industry, such regulations might be not limited only to PCI, HIPPA, GLBA, SOX and DoD 8500.2, just to name a few. In fact, nowadays C-level executives are not concerned with the decision of whether to be compliant or not, but the question is where to spend their limited budget in such a way that makes the most impact to their business and ultimately their compliance profile.

In the past this meant hiring a team of consultants to come in and either do interviews, or conduct workshops to try to get a feel of the customer’s compliance to any particular standard or regulation.  This is a long, and sometimes costly, endeavor with no guarantee that the consultants are going to talk to the right people, or measure the right things in order to come up with the correct conclusion.  Only after this long process is done, does the CIO, or CSO, read the multi page reports in order to try to figure out where to invest their limited IT budget for that year.

There is now a better way to determine this information. When a customer deploys, installs and configures a proper IT Governance, Risk and Compliance (IT GRC) software solution, it enables them to see, with a few clicks, where their IT dollars should be best spent for the most return on their investment. IT GRC allows organizations to measure their assets, business process, or systems, with what is referred to as a security index.  With this measurement, companies are able, for example, to generate a graphical report that shows the security index of the entire organization.

Above, a report called Business Components Integration View shows the interdependency of an organization’s assets, systems, business processes, as well as how one asset’s security index can roll up and affect the overall security index of the upstream system or business processes. It also allows decision makers to easily see where IT dollars can be better spent to make most effective impact within their organization.

This kind of report gives CIO’s and CSO’s the ability to make informed decisions on where to spend their limited IT budget. Therefore if the organization had limited budget to spend to improve their security posture, the logical place to spend those dollars would be in the data center since it would yield the most results across all of the corporative scenario. However, if this organization was concerned with only assets that had been classified with a security index of “red” they could just as easily choose to focus their IT dollars on the assets of application server, IT manager, firewall and workstations.  This is but one benefit of IT GRC solutions implementation for sure.

Doug Williams is Information Security Consultant from Modulo, a leading provider of IT GRC solutions. Modulo Risk Manager™ software allows organizations to implement an effective GRC process for Risk Management, Compliance with market standards and regulations coupled with an IT Governance process.

by Alberto Bastos

As of October 2009, corporations of different sizes and industries will be faced with a new universal standard focused specifically on Risk Management. Dubbed ISO 31000: Principles and guidelines for risk management. The new guidelines were developed by the Organization for Standardization (ISO) in response to the need to standardize the existing norms, regulations and frameworks related to risk management.

By Rodrigo Mentz

Vendor  Asessment aims to keep the quality of products and services and to guarantee an efficient support of management tasks within an organization. This is a rather complex activity (depending on the number of suppliers), therefore an appropriate management plan is paramount. If correctly implemented, vendor assessments can reduce costs, minimize risks and maintain compliance at high‐standard levels. Download (PDF)

by Rafael Roseira

Workflow Manager, Risk Manager’s module responsible for event management and risk treatment, allows one to perform a centralized and collaborative governance. By means of collaborative access, the whole organization has access to recorded events, enabling a centralized management and frequent updates of events. Download (PDF)

by Rafael Roseira Barbosa

The current version of Modulo Risk Manager is based on a client-server architecture. Download (PDF)

"Part of the Risk Management process, reports, tables and graphics generation are fundamental to support the decision making, provide for action plans and facilitate awareness process by Senior Management and operating teams..." Download (PDF)

"Creating Quality Business Applications on schedule and within the established budget is one of the greatest challenges faced by the companies that conduct this activity internally to meet their own needs. Some begin to rely on Risk Management (RM) to monitor all the production steps and develop flawless solutions, meeting international standard requirements such as the Capability Maturity Model Integration (CMMI) proposed by the Software Engineering Institute (SEI) of Carnegie Mellon university, a seal that transformed India in the largest supplier of outsourced services to the global market..." Download (PDF)

Gustavo Gerhard

"The latest version of Modulo Risk Manager presents a new functionality that allows checklists created by the user to be sent automatically as e-mail interviews. This feature allows the user to automate information collection, as well as the consolidation of results, after creating..." Download (PDF)

by Rafael Roseira Barbosa

"A close look at current Risk Management frameworks such as the AS/NZS 4360 or the ISO 31000 (under development), leads to the conclusion that risk assessment is but one of the activities performed within a more comprehensive process..." Download (PDF)