ISO 27005 Risk Management Standard

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Let's continue our look at some
00:00
>> risk-related frameworks.
00:00
>> ISO, again,
00:00
this represents the International
00:00
Organization of Standards.
00:00
ISO 27005
00:00
is the Information Security Management Standard.
00:00
Now, ISO's 27000 series,
00:00
those documents numbered in
00:00
27000 range focus on cybersecurity.
00:00
Of course protecting our information
00:00
while using a standard of
00:00
risk management is what this particular framework does.
00:00
What's you're going to notice if you take a look at this,
00:00
you're going to see a lot in common with NIST 830 and 39.
00:00
You're going to see that we start
00:00
out with context establishment.
00:00
If you look at NIST 839,
00:00
you remember we started out with framing,
00:00
and framing establishing the context.
00:00
We're going to see these different frameworks use
00:00
slightly different terms but we're doing the same thing.
00:00
We're trying to figure out what is significant about
00:00
our environment that's going to
00:00
influence how we address risks.
00:00
Are we required to follow certain laws, regulations?
00:00
Are we handling extremely high value data?
00:00
Those are the types of things
00:00
that we think about in framing,
00:00
as well as the risk,
00:00
appetite and tolerance of
00:00
the organization risk capacity as well.
00:00
Then once we have a handle
00:00
on how we as an organization address risks,
00:00
then we're going to move into risk assessment.
00:00
Now, in risk assessment I have the two pieces
00:00
of identification and then risk estimation.
00:00
Risk identification is of course,
00:00
where we look at threats, vulnerabilities,
00:00
and our assets,
00:00
and we figure out what risks exist.
00:00
Then for risk estimation,
00:00
this is what we've been calling risk
00:00
analysis in ISACA's approach to risk.
00:00
Again, it gets tricky because
00:00
these terms are a little
00:00
bit different or they're used differently.
00:00
But here risk estimation,
00:00
part of the overarching risk analysis,
00:00
this is where we get a value for the risk.
00:00
What is the loss potential?
00:00
Then the next stage risk evaluation is where we
00:00
compare the potential for
00:00
loss up against the cost of a countermeasure,
00:00
and make a good decision for
00:00
risk response based on cost-benefit analysis.
00:00
You can see there are four types of risk response.
00:00
Treat risk, tolerate them,
00:00
transfer them, terminate.
00:00
This is comparable.
00:00
Treat would be comparable
00:00
to mitigation or risk reduction.
00:00
Tolerate would be accept,
00:00
transfers still the same,
00:00
and then terminate would be avoid risk.
00:00
It can be tricky particularly on an example,
00:00
you're looking at the same ideas with different lingo.
00:00
Don't get caught up in that.
00:00
I don't think they're going to get
00:00
that detailed in ISO 27005.
00:00
What I would focus on is that
00:00
ISO 27005 is an International Framework.
00:00
I would follow the flow of it,
00:00
but try not to get too tangled up in the different terms.
00:00
What I would know is what we focused on as far
00:00
as how risk management is handled within ISACA.
00:00
Don't let it get too tangled
00:00
up with these different frameworks.
Up Next