-
*** THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY
SECURE KNOWLEDGE MANAGEMENT INC ***
Risk Management Qualitative versus Quantitative
ISO 27001 clause 6.1.3 (f)
[Excerpt] The organization shall retain documented information
about the information security risk treatment process. NOTE The
information security risk assessment and treatment process in this
International Standard aligns with the principles and
genericguidelines provided in ISO 31000[5].
ISO 31000 Clause 5.4.3
[Excerpt] Risk analysis can be undertaken with varying degrees
of detail, depending on the risk, the purpose of the analysis, and
the information, data and resources available. Analysis can be
qualitative, semi-quantitative or quantitative, or a combination of
these, depending on the circumstances.
Example: qualitative – OCTAVEExample: quantitative – Harmonized
Threat-Risk Assessment
ISO 27001 Registration /Certification does not demand a
Quantitative Risk Assessment, know the rules and factual
requirements, push back on false interpretations.
-
*** THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY
SECURE KNOWLEDGE MANAGEMENT INC ***
Risk Management Qualitative versus Quantitative
Is this a new asset?
Is this a new system or major change?
What are the potential threats?
What are the potential vulnerabilities?
What risk mitigating controls have been implemented?
Finalize and report risk?
Risk Treatment Plan and monitoring
Risk Assessment Waterfall
Start
End
= Feedback loop
= Parallel process considerations
Verify the assets in scope. Add new assets to asset database or
configuration management database.
Make changes to the security architecture as required. Ensure
that additional security testing has been planned and
completed.
Verify threats are registered and agreed to by management. Add
any missing threats.
Verify vulnerabilities are registered and agreed to by
management. Add any
missing vulnerabilities.
Validate existing investments in security and risk mitigating
controls, protect management’s investment.
Work with designated asset owners to create action plans to
re-align existing
controls or recommend new /additional risk mitigating
controls.
Report information risk to information governance committee and
act on decisions.
Verify and Validate that identified risks have been mitigated to
acceptable
levels or completely eradicated.
-
*** THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY
SECURE KNOWLEDGE MANAGEMENT INC ***
Risk Management Qualitative versus Quantitative
Is this a new asset?
Is this a new system or major change?
What are the potential threats?
What are the potential vulnerabilities?
What risk mitigating controls have been implemented?
Finalize and report risk?
Risk Treatment Plan and monitoring
Risk Assessment Waterfall
Start
End
In a Qualitative Risk Assessment past security events and
incidents are orally recorded and
the experience and opinions of managers leveraged to formulate
the risk rating defined by using “stop-lights”, red = high risk,
yellow =
moderate risk and green = acceptable risk.
-
*** THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY
SECURE KNOWLEDGE MANAGEMENT INC ***
Is this a new asset?
Is this a new system or major change?
What are the potential threats?
What are the potential vulnerabilities?
What risk mitigating controls have been implemented?
Finalize and report risk?
Risk Treatment Plan and monitoring
Risk Assessment Waterfall
Start
End
In a Quantitative Risk Assessment we try to calculate a risk
rating
that will help Executives decide on the prioritization of
corrective action plans, budgeting and resource allocation.
Risk Management Qualitative versus Quantitative
-
*** THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY
SECURE KNOWLEDGE MANAGEMENT INC ***
Risk Management Qualitative versus Quantitative
Risk Treatment Plan - Qualitative versus Quantitative
Stop Lights are used to rate the
risk as high, medium or low
A mathematical formula is used to calculate a number value
known as the risk rating.
-
*** THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY
SECURE KNOWLEDGE MANAGEMENT INC ***
Risk Management Qualitative versus Quantitative
Qualitative versus Quantitative “Pros and Cons”
Qualitative “Pros and Cons”• Better suited for new security
programs, where not all assets have been identified and risk
assessed.• Better suited for small organizations where the
capability and maturity of business processes is very low.• Based
on experience and if previous events /incident were not recorded
that experience may have been lost.• Generally leaves room for
second guessing and lower levels of assurance.• Not as precise and
could leave gaps potentially exposing the organization.
Quantitative “Pros and Cons”• A mathematical formula garners
higher levels of assurance.• All assets in scope need to be
identified, managed and risk assessed.• More appropriate for high
levels of mature business processes.• More precise making it easier
to pinpoint and treat decencies and make improvements.• Better
suited for highly regulated organizations that face external audits
and financial penalties.
