As is already well known to all of us who work in the field of information security, the cornerstone of every ISMS (Information Security Management System) is the performance of the relevant analysis of the risks associated with our assets of information.
The importance of Risk Analysis stems from the fact that it is the tool that will allow us to identify the threats to which these assets are exposed, estimate the frequency of materialization of such threats and assess the impact that such materialization would have on our Organization.
In the field of Risk Analysis, in Spain we have an indisputable reference when we consider the methodology to follow. Yes, that reference is MAGERIT: Risk Analysis and Management Methodology for Information Systems. Currently by version 2.0, it enjoys excellent health and is recognized by ENISA (European Network and Information Security Agency) along with other European and international methodologies. It is a public methodology elaborated by the Higher Council of Electronic Administration (CSAE), an organ of the Ministry of Public Administrations (MAP) in charge of the preparation, elaboration, development and application of the information technology policy of the Spanish Government.
If until now this reign of MAGERIT has been indisputable - with the interesting exception of those professionals who have decided to develop their "own" methodologies, considering that they were better adapted to their organizations - for a relatively short time we have had a competing competitor. This new player on the Risk Analysis scene is, as many may have imagined, the international standard ISO / IEC 27005: 2008, entitled Information technology - Security techniques - Information security risk management.
ISO 27005 “repealed” the ISO / IEC TR 13335-3: 1998 and ISO / IEC TR 13335-4: 2000 standards, and since its publication in June 2008, provides a set of guidelines for the correct performance of an Analysis of Risks.
Note, however, that ISO 27005 does not provide a specific Risk Analysis methodology, but rather describes the recommended analysis process, including the phases that comprise it, through its clause:
- Establishment of the context (Clause 7.) Risk assessment (Clause 8.) Risk treatment (Clause 9.) Acceptance of risk (Clause 10.) Communication of risk (Clause 11.) Monitoring and review of risk (Clause 12.)
In short, the standard helps us to have no doubts about the elements that every good Risk Analysis methodology should include, therefore, seen from this point of view, it can be constituted as a methodology in itself.
In addition, the standard includes six Annexes (AF) of an informative and non-normative nature, with guidelines that range from the identification of assets and impacts, examples of vulnerabilities and their associated threats, to different approaches for analysis, distinguishing between high risk analysis. level and detailed analysis.
But what arguments does ISO 27005 have against MAGERIT or other existing methodologies? Well, the truth is that there is a palpable division in the sector, even at the European level (in this case, logically, comparing the ISO standard against the methodologies of each country).
On the one hand, there are those who have embraced the new standard with great enthusiasm, understanding that it implies the officialization at an international level of the requirements that a Risk Analysis methodology must meet, and that therefore brings clarity to an area that was surely needing it. This position is frequent among those who are dedicated to the implementation of Management Systems under ISO 27001 –the absolute reference in security management–, since ISO 27005 was clearly born to support the task of risk analysis and management within the framework of an ISMS.
On the other hand, we find those who do not quite see the contribution of this standard for risk analysis professionals, given the many existing methodologies. From these positions, more purist of risk management, the criticism is focused on pointing out that the new standard does not really delve into risk management, but rather remains in a mere declarative framework of certain risks, and that said framework it is linked to a PDCA cycle (Plan, Do, Check, Act) in order to review these risks.
Critics of ISO 27005 add another aspect that does not quite convince them, and it is precisely that subordination –for them undoubtedly excessive– of the standard towards the ISMS. They consider that the statement made in sub-clause 7.1 of the standard is not admissible, which cites as the purposes of Risk Analysis, among others, support for an ISMS. This statement is challenged by arguing that in reality the implementation of an ISMS is the result of a prior risk analysis, and not the other way around. This last opinion does not seem out of focus at all, since precisely the ISMS has as its purpose, and in this case the redundancy is worth, to always manage Information Security from the starting point of Risk Analysis.
Regardless of controversies, which do not have to be sterile, the truth is that for just over a year the professionals who dedicate ourselves to Information Security have had new support for that difficult and crucial task that is Analysis. and Risk Management of information assets in organizations. Task that, it must be said, requires the more contributions, the better.
Among these contributions, it is worth highlighting the Spanish publication a month after ISO 27005 did so, of a - in this case yes - Risk Analysis methodology in the form of the UNE standard. We are referring, of course, to UNE 71504, which will undoubtedly be interesting to talk about on another occasion and compare it with that indisputable reference in Spain which is MAGERIT.
Contributed by: Elena Ortega de Nicolás
