ISO 27005, a part of the ISO 27000 series of standards, provides a framework for managing information security risks. One of the initial and most crucial steps in this process is the establishment of context. This article will delve into what context establishment in ISO 27005:2018 entails, its importance, how organizations can utilize it, and how to get started, with practical examples from a publicly traded bank and a privately held supermarket.
This article is the second part of a series about the ISO27005:2018. Missed the first part? Start here: Understanding ISO 27005: A Guide for Organizations
Context establishment is the initial phase of the ISO 27005:2018 process. It involves defining the external and internal parameters to be taken into account when managing information security risks, setting the scope and boundaries of the risk management process, and defining the risk assessment methodology.
The context establishment process in ISO 27005:2018 includes several aspects:
General Considerations:
This involves understanding the overall context in which the organization operates, including its mission, vision, values, and strategic objectives.
Basic Criteria:
This includes defining the basic criteria for the risk management process, such as the risk identification methods, risk analysis approaches, and risk evaluation techniques.
Risk Management Approach:
This involves defining the organization's approach to managing risks, including the risk management principles, framework, and process.
Risk Evaluation Criteria:
This includes defining the criteria for evaluating risks, such as the risk levels, risk thresholds, and risk acceptance criteria.
Impact Criteria:
This involves defining the criteria for assessing the impact of risks, such as the potential consequences and their severity.
Risk Acceptance Criteria:
This includes defining the criteria for accepting risks, such as the acceptable level of risk and the risk tolerance.
Scope and Boundaries:
This involves defining the scope and boundaries of the risk management process, such as the areas of the organization that will be included in the process and the limits of the process.
Organization for Information Security Risk Management:
This includes defining the roles and responsibilities for the risk management process, the resources required for the process, and the communication and reporting mechanisms.
Context establishment is not a standalone process but is closely linked with other processes in ISO 27005:2018, particularly Monitoring & Review and Communication & Consultation.
Monitoring & Review:
The context of an organization is not static but can change over time due to various factors such as changes in the external environment, changes in the organization's strategy and objectives, and changes in the information security risks. Therefore, it's important to monitor and review the context on a regular basis to ensure that it remains relevant and up-to-date. The findings from the monitoring and review process can lead to a revision of the context and the risk assessment methodology.
Communication & Consultation:
Communication and consultation with relevant stakeholders is a key part of the context establishment process. It can help organizations understand the views and concerns of the stakeholders, gain their support for the risk management process, and ensure that the risk management process is transparent and inclusive. The communication and consultation process can also provide valuable inputs for defining the context and the risk assessment methodology.
Establishing context is crucial because it sets the foundation for the entire information security risk management process. It helps organizations understand their environment, identify the factors that can influence the risks, and define the parameters for managing these risks.
By understanding the external context, organizations can identify the external factors that can affect their information security risks. This can help them anticipate and prepare for these factors, and ensure that their risk management processis aligned with the external environment.
Understanding the internal context, on the other hand, can help organizations identify their strengths and weaknesses in managing information security risks. This can help them leverage their strengths and address their weaknesses, and ensure that their risk management process is aligned with their internal capabilities and needs.
Defining the risk assessment methodology is also crucial because it determines how risks will be managed. By defining the risk criteria and the risk acceptance criteria, organizations can ensure that their risk management decisions are consistent, objective, and aligned with their risk tolerance.
Organizations can use context establishment by conducting a thorough analysis of their external and internal context, and defining their risk assessment methodology.
To understand the external context, organizations can monitor the external environment, conduct market research, consult with external experts, and analyze legal and regulatory requirements. To understand the internal context, organizations can conduct internal audits, consult with internal stakeholders, and analyze their internal documents and data.
To define the risk assessment methodology, organizations can consult with risk management experts, review risk management standards and best practices, and align the methodology with their risk tolerance and business objectives.
Let's consider two examples: a publicly traded bank and a privately held supermarket.
Publicly Traded Bank:
External Context:
The bank operates in a highly regulated financial market with stringent cybersecurity requirements. The competitive nature of the market and the high risk of cyber threats, due to the sensitive financial data they handle, are key considerations in their external context.
Internal Context:
The bank's complex organizational structure, wide range of information assets, and robust technological capabilities form its internal context. The bank's structure and capabilities necessitate a comprehensive and robust approach to information security risk management.
Risk Management Approach:
Given the potential impact of information security incidents on the bank's reputation and financial stability, the bank's risk management approach would likely involve a high level of risk aversion. Furthermore, due to the heavy regulation in the banking sector, the risk management process needs to be auditable. This means that the risk management approach must be well-documented, transparent, and able to facilitate audit requirements.
Risk Evaluation Criteria and Impact Criteria:
The bank would need to define strict risk evaluation and impact criteria due to the high stakes involved in potential security breaches.
Risk Acceptance Criteria:
Given the potential impact of risks, the bank's risk acceptance criteria would likely be very low.
Scope and Boundaries:
The scope and boundaries would likely include all departments and functions due to the interconnected nature of information systems in a bank.
Organization for Information Security Risk Management:
The bank might adopt the three lines of defense model for its information security risk management. The first line of defense is the operational management who own and manage risks. In the context of information security, this could include IT managers who are responsible for implementing security controls and procedures.
The second line of defense includes functions that oversee or specialize in risk management and compliance. For the bank, this could be a dedicated information security team that establishes the information security policy, coordinates the risk management activities, and ensures compliance with regulatory requirements.
The third line of defense is the internal audit function, which provides independent assurance to the board of directors and senior management on the effectiveness of risk management. In the case of the bank, the internal audit function would conduct independent audits of the information security controls and the risk management process, and report their findings and recommendations to the board and senior management.
This model ensures that risk management is given the necessary focus and resources, and that there are multiple layers of control and oversight. For a more detailed explanation of the three lines of defense model, you can refer to this article "Strengtehing IT Risk Management with the 3 Lines of Defense Model".
Privately Held Supermarket:
External Context:
The supermarket operates in a competitive retail market with evolving consumer preferences. The risk of cyber threats is moderate, but still significant, especially considering the personal data of customers they handle.
Internal Context:
The supermarket's simple organizational structure, limited range of information assets, and basic technological capabilities form its internal context. These factors necessitate a more straightforward, but still effective, approach to information security risk management.
Risk Management Approach:
Given the potential impact of information security incidents on the supermarket's operations and customer trust, the supermarket's risk management approach would likely involve a moderate level of risk aversion.
Risk Evaluation Criteria and Impact Criteria:
The supermarket would need to define risk evaluation and impact criteria that reflect the potential operational and reputational damage of security breaches.
Risk Acceptance Criteria:
Given the potential impact of risks, the supermarket's risk acceptance criteria would likely be moderate.
Scope and Boundaries:
The scope and boundaries could be set to include the head office and all stores, but exclude third-party suppliers. This is because the supermarket has direct control over its own offices and stores, but not over the suppliers. A different consideration could be to force suppliers to meet certain security controls as a disruption in delivery of their services could impact the supermarket delivering their goods to their clients.
Organization for Information Security Risk Management:
The supermarket might involve the IT department in risk management, with oversight from the Chief Information Officer, to ensure that risk management is integrated with the supermarket's IT strategy and operations.
Getting started with context establishment involves the following steps:
Understand the Concept:
The first step is to understand the concept of context establishment and its importance in the ISO 27005:2018 process. This can be done by reading the ISO 27005:2018 standard and related materials, attending training courses, or consulting with experts.
Conduct Context Analysis:
The next step is to conduct a thorough analysis of the external and internal context. This involves collecting and analyzing data, consulting with stakeholders, and identifying the factors that can influence the information security risks.
Define Risk Assessment Methodology:
This involves defining the risk criteria, the risk acceptance criteria, and the methods for identifying, analyzing, and evaluating risks.
Communication & Consultation:
Engage with relevant stakeholders throughout the context establishment process. This can help organizations understand the views and concerns of the stakeholders, gain their support for the risk management process, and ensure that the risk management process is transparent and inclusive. The communication and consultation process can also provide valuable inputs for defining the context and the risk assessment methodology.
Monitoring & Review:
Establish a process for regularly monitoring and reviewing the context. The context of an organization is not static but can change over time due to various factors such as changes in the external environment, changes in the organization's strategy and objectives, and changes in the information security risks. Therefore, it's important to monitor and review the context on a regular basis to ensure that it remains relevant and up-to-date. The findings from the monitoring and review process can lead to a revision of the context and the risk assessment methodology.
In conclusion, context establishment is a crucial step in the ISO 27005:2018 process. It sets the foundation for the entire risk management process, helps organizations understand their environment and define their risk assessment methodology, and ensures that their risk management decisions are consistent, objective, and aligned with their risk tolerance and business objectives. By understanding and implementing context establishment, organizations can manage their information security risks more effectively and enhance their overall security posture.
As we continue to explore the ISO 27005:2018 process, our next article will delve into the next critical step: Risk Identification. We will discuss what Risk Identification entails, why it is important, how organizations can effectively identify risks, and how to get started with this process. Staytuned for this upcoming article to further enhance your understanding and implementation of the ISO 27005:2018 process.