3 - Interaction with ISO 27005

Question 1

Common points of ISO 27005

Answer 1

• Identifying the risk
• are are capable of dealing with the identified risk
• Calculating wheter the risk should be approached or avoided
• Reduce the level of its risk

Question 2

Common points of ISO 27001

Answer 2

• Align with the organisation’s strategic risk management context
• establish criteria aginst which risk will be evaluated
• identify a risk asessment methodolgy that is suited to the ISMS

Question 3

Difference between 27001 and 27005

Answer 3

ISO 27005 provides guidelines for IS risk management and ISO 27001 is designed to assist the ISMS approach. It is good used to extend 27001 with 27002 (security techniques).

Question 4

They are used in parallel for a flexible use:

Answer 4

identify threats
identify existing controls
identify vulnerabilities and the impact of their exploitation
risk = (proba. threat exploit. a vuln.) * (total impact of the vuln. being exploited)

Question 5

It is fundamental to quantify the probability and business impact of potential threats that the risk become a reality:

Answer 5

Frequency
Productivity loss and cost
Extent and cost of physical and finacial damage
Value lost if confidential info is leaked - very important given the implementation of the GDPR
Cost of recovering from a virus attack (financial, physical and reputational)

Question 6

Compute the Impact Severity

Answer 6

Impact Severity = Asset value x Threat severity x Vulnerability severity