Open Group launches guide to boost ISO 27005 efforts

A new guide from the Open Group is designed to help organisations meet ISO 27005 standards, but some risk management professionals feel it may not be so effective.

The Open Group, an organisation that works to promote IT standards, has launched a free guide to help organisations analyse and manage information risks. The guide is specifically aimed at organisations working to meet the requirements of ISO 27005, the risk management framework associated with the ISO 27001 information security standard.

The ISO 27005 guide, called the Cookbook for ISO/IEC 27005:2005, is the result of nearly three years’ work by the Open Group’s Security Forum, and is designed to help risk management professionals and their stakeholders create a formal and repeatable process for analysing and managing risks.

According to Jim Hietala, CTO for the Open Group, the Cookbook provides a detailed description of how to apply the Open Group’s own Factor Analysis for Information Risk (FAIR) risk taxonomy standard to ISO 27005.

“When we set out to create the risk taxonomy standard two years ago, based upon an algorithm called FAIR, we realised what we are creating had a lot of value for folks who are tasked with measuring and managing risk within their organisations,” Hietala said.

“We realised that what we had went to a deeper level on the analysis of risk than anything else that was out there at the time. But we also realised there were other risk management frameworks, and we wanted to describe how FAIR could be used with some of those other frameworks.”

Hietala said FAIR is complementary to ISO 27005, providing more detailed analysis, while the ISO framework works at a higher level. “ISO 27005 tells you what you need to do, but it doesn’t tell much about you how you should do it,” he said. “So we thought there was an opportunity to describe the work that we’ve done in a way that relates to the outputs that ISO 27005 wants to see from a risk analysis.”

According to Hietala, FAIR is “a great way to analyse risk,” while 27005 deals more with how organisations decide to handle the risk: accept it, mitigate it, transfer it or avoid it.

But one expert in the field feels more needs to be done to raise the efficacy of risk analysis. Michael Barwise, director and lead consultant at risk management consultancy Integrated InfoSec, said the Cookbook is a contribution to the standard, and goes into much more detail than ISO 27005, but the guidance should not deter enterprises from making their own risk evaluations.

“[The Open Group is] giving you essentially a framework of control labels within the development section of 27005 that you can use to facilitate your compliance,” he said. “Whether or not that is the same as a good information security risk judgment is the question: I suggest not.”

Barwise said most risk analysis in information security is flawed because it lacks the rigour and statistical data that support risk decisions made in other disciplines, such as insurance or industrial safety.

“The Cookbook is a jolly good effort. It’s exhaustive. It gives a set of rules,” Barwise said. “My question is how effective those rules will be in producing better risk judgement. That is not the fault of the Open Group, but the fault of the omissions in the whole [ISO] framework in which they are operating.  It’s based on the fallacious assumption that we can all make good judgements on risk automatically, and all we need is a framework in which to do it.”

Barwise suggested that risk professionals need to learn more about statistics and the psychology of decision making, because most estimates, he said, were based on “wobbly” judgment.  “Most risk decisions are unsound," he said, "and it’s fortunate that most of them don’t get tested.”

In response, Hietala conceded that more needs to be done to improve risk analysis.

“We haven't had significant statistical studies to refer to in IT security, on which to base risk decisions, like insurance actuaries do,” he said. “There are some resources emerging that help, but the IT security industry isn't where we need to be with respect to having solid statistical databases regarding data breaches, control effectiveness, and so on.” One aim of FAIR, he said, was to bridge the gap between how business people and IT people think about and talk about risk.

Read more on IT risk management