The Risk-based Approach | The Centauri Step, Governance and IT Security
The Risk-based Approach
Marion Mellor
What is the risk management approach? And how do you go from a pure compliance-based strategy to a focus on managing risk better?
You now know that the ISMS (Information Security Management System) is the orchestra conductor of your security regulations.
But why do we recommend a risk-management approach as opposed to a compliance-based one? (I think I prefer this second alternative)
1) Thou shalt (or shalt not) tick boxes
A compliance-based or process-based approach allows an organization to deploy the foundations of an ISMS but does not always offer a response to all its specific business needs or the ability to adapt processes urgently.
Processes and procedures do not allow for the innovation necessary to provide businesses with an effective security response.
Threats evolve over time. A cyber attack can occur or be deployed in a few minutes, but it might be several months before it is discovered.
–> This is a critical issue. ⚠️
How can you deal with emergencies without looking like the rabbit in Alice in Wonderland, who runs everywhere without ever getting anywhere? How can you proactively enhance business security?
Security decisions are taken at a specific moment in time by management and the IT department, who sometimes speak different languages for which they have no dictionary. It thus takes time for these decisions to be translated into security procedures, and yet no documentation can be constantly updated. Several months can go by between the decision, its putting in writing and the implementation of the decided actions.
Beware! ⚠️When you reach compliance with a security rule, the real threat situation has already moved on ahead. There is a constant gap and this gap can tend to grow as threats become more serious.
Being certified ISO 27001 is about being capable to produce documentation. But is ticking boxes on a compliance Excel file enough to be really protected? How can you ensure that decisions and actions are taken in real time?
Agility is the ability to create value while adapting to changes in environment. Is compliance with the ISO 27001 standard an ends or a means?
2) Thou shalt manage your risks
A risk-management approach allows you to put your processes into perspective, and decide whether a given procedure provides value for the business and for its security. And this is the real role of the ISSM (information security systems manager). Rather than working through the chapters of the standard with your sights set on compliance, it is nowadays advisable to implement distributed security systems adapted to the major risks facing the business.
“You don’t put brakes on a car to slow it down, you put brakes on a car to go faster more safely.” Following the same reasoning, security procedures must be fully integrated in the activities of the organization.
Any additional constraint must have an immediate benefit. There need to be obvious gains for minimal effort.
Four key stages of an effective risk assessment:
1) First, consider the specific context,
2) Establish the risk evaluation criteria,
3) Accept the risks (formally, in a management meeting) and share the findings of the assessment,
4) Regularly review residual risks.
You must constantly review the adequacy of controls with regard to major business threats, project risks and/or changes in the environment.
This represents an enormous cultural shift for some auditors who are used to conscientiously checking whether the organization ticks all the boxes – in fact, the first stages of your risk analysis might actually show that a smaller ISMS scope is justified, depending on the activities and needs of the business.
3) Thou shalt make life easier for your business
What we call the “risk-management approach” builds upon the Plan Do Check Act or PDCA approach, to which it adds the consideration of risks and opportunities. Having the support of a management team which understands the issues at stake is capital in this respect.
Several ways to be more agile when it comes to security measures:
1) Outline the broad security principles with management (no more than two pages in simple and engaging language). This then leaves you free to implement security measures without being restricted by procedures.
2) Based on the above, develop a set of guidelines for each area or activity of the business.
3) These more detailed standards can be translated into specific procedures (on a business-wide ERP system for example). MY ADVICE = The most practical format for your documentation is Excel for the most part, with a few Word files (but the fewest possible to allow the everyday update of the documentation)
MY ADVICE
The most practical format for your documentation is Excel for the most part, with a few Word files
(but the fewest possible to allow the everyday update of the documentation).