The InfoSec Blog
3Dec/10

All Threats? All Vulnerabilities? All Assets?

One list I subscribe I saw this outrageous statement:

ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset - that means that you have to
consider whether every threat from your list is related to each of
your assets.

"All"? "Every"?
I certainly hope not!
Unless you have a rule as to where to stop those lists - vectors that you are going to multiply - are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.

See
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
for a more complete discussion of this aspect of 'risk'.

See
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
in which Jeff Lowder has a discussion of the "utility value" approach to controls

Because its the controls and their effectiveness that really count.

The issue of infinite, finite or even reasonable and usable enumerability means there _HAS_ to be a rule as to when to stop.
Its frightening in one way, you never know that the next item, the one you've stopped before, might actually be critical in some particular combination. But there _HAS_ to be a halting condition or you die from analysis paralysis.

If we call this rule "common sense" or "reasonableness" or some such then what we are really doing is admitting that Donn Parker was right with his "diligence" approach (See ISSA Journal articles via Google) and that is more effective as a means of determining controls than any of the formal Risk Analysis methods.

Because its the controls and their effectiveness that really count.

But ISO27K says you HAVE to do a RA, even if its impossible to do it properly and if it is the wrong method or if its not as effective as a non-RA approach to developing controls.

Because its the controls and their effectiveness that really count.

Or is it? Is having the certification because you've followed the process more important?

Enhanced by Zemanta

Because its the controls and their effectiveness that really count.

Posted by Anton Aylward

Comments (1) Trackbacks (0)
  1. Hi Anton.

    Yes ISO27k is risk-based and requires that you identify and characterise risks to your information assets, but no ISO/IEC 27001 does not say you have to assess ALL risks, or ALL threats, vulnerabilities and impacts. Whoever said so is reading more into the standard than it actually says.

    The cyclical PDCA approach recommended in 27001 is like whack-a-mole: identify your assets, assess the risks, treat them, and go round again. Knowing that you will be going round again and again means there is no need to obsess about every last detail right now. The same applies to selecting treatments, and treating the risks: you can settle for ‘good enough for now’ because it’s not forever.

    Rgds,
    Gary


Leave a comment

No trackbacks yet.