Questions about information security risks ISO 27001
1. Que tan amplio, completo y detallado debe ser un análisis y tratamiento de riesgos de seguridad de la Información?
2. El análisis y el plan de tratamiento de riesgos se debe realizar también a:
Personas
Procesos
Instalaciones Físicas
Activos No digitales
O solo se le hace a los activos digitales como servidores, aplicaciones, servicios?
3. Como se debe describir correctamente un riesgo, en algunos ejemplos que he visto de internet veo que redactan amenazas como riesgos, incluso he visto casos donde el riesgo lo escriben como el atributo de seguridad que podría verse afectado.
4. En la descripción de un riesgo debe tener explícito la amenaza y la vulnerabilidad que podría ser aprovechada por la amenaza?
5. Que guías puedo usar para la evaluación de los controles existentes y qué metodología puedo usarse para recalcular el riesgo luego de calificar los controles existentes y determinar qué tanto se afecta la probabilidad de ocurrencia y/O el impacto del riesgo?
6. A un servidor web se le hizo un análisis de vulnerabilidades con un software de análisis de seguridad y no se encontraron vulnerabilidades , quiere decir que no tiene riesgos? Porque para que existan riesgos deben haber vulnerabilidades.
Sin embargo a pesar de que los análisis de seguridad no encontraron vulnerabilidades creería que sí se deberían redactar riesgos o cómo se gestionan estos casos donde aparentemente no hay vulnerabilidades?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. How broad, complete and detailed must be an analysis and treatment of information security risks?
ISO 27001 does not prescribe such details levels, you only need to ensure the risk analysis and treatment process is comprehensive enough to provide confidence that relevant risks are treated properly.
One tip you can use is to involve in the risk analysis and treatment processes persons which are familiar with processes and information included in the ISMS scope because this increases the chances that no relevant risks will be overlooked.
In terms of the number of risks, you can consider these good estimates to evaluate your process: for each asset, you could find 3 to 5 threats, and for each threat one or two vulnerabilities. So, for a small company with 60 assets, this would mean you would end up with 180 to 600 risks.
For further information, see:
- How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section8
2. The risk analysis and treatment plan must also be carried out at:
People
processes
Physical facilities
Non-digital AssetsOr is it only done to digital assets such as servers, applications, services?
All assets that can interact with the information to be protected by the ISMS need to be considered in the risk analysis and treatment processes. For example, people will have to access information, so they need to be considered in the risk analysis and treatment processes.
The Risk Assessment Table included in your toolkit (in folder 06 Risk assessment and risk treatment) provide a set of assets you can use, divided into the following categories: People, applications and databases, Documentation (in paper or electronic form), IT, communication and other equipment, Infrastructure, and Outsourced services.
3. As a risk must be correctly described, in some examples that I have seen on the internet I see that they write threats as risks, I have even seen cases where the risk is written as the security attribute that could be affected.
ISO 27001 does not prescribe how risks must be described, so organizations are free to describe them as best fitting their needs. The documentation in the toolkit uses the approach asset-threat-vulnerability to describe risks.
For further information, see:
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
4. In the description of a risk, should the threat and the vulnerability that could be exploited by the threat be explicit?
In the approach used in the toolkit (asset-threat-vulnerability), you need to describe explicitly the threat and the vulnerability related to the risk. The Risk Assessment Table provides a list of threats and vulnerabilities you can use as a reference.
Included in the toolkit you bought you have access to a video tutorial that explains how to perform risk assessment, with real examples. In the email you received the toolkit in, you will find the instructions on how to access the video.
5. What guidelines can I use for the evaluation of existing controls and what methodology can I use to recalculate the risk after qualifying the existing controls and determining how much the probability of occurrence and/or the impact of the risk is affected?
ISO 27001 does not prescribe how to evaluate existing controls, so organizations are free to define criteria that best fit their needs. You can use as evaluation reference evidence that the control is working (e.g., reports, logs, in loco observation, etc.) and the effective results achieved (e.g., for information backup, how many copies were generated and tested in a given period of time).
As for a methodology to recalculate the residual risk, you can use a scale on how probability and/or impact of risk were reduced after the application of control (e.g., if the impact was minimal, reduce 1 point from the current level of probability and/or impact, 2 points in case impact was moderate, and 3 points in case-control impact is perceived as high).
For further information, see:
- Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
A web server was scanned for vulnerabilities with security scanning software and no vulnerabilities were found, does that mean it is risk free? Because for there to be risks there must be vulnerabilities.
However, despite the fact that the security analyzes did not find vulnerabilities, would you think that risks should be written or how are these cases where there are apparently no vulnerabilities managed?
Only based on vulnerability scans you cannot state that there aren’t vulnerabilities in a web server, because it only covers some types of technical vulnerabilities, and may there be other types of vulnerabilities, like inappropriate access control, improper physical location, etc., that cannot be identified with scanning software.
Comment as guest or Sign in
Mar 27, 2023