Expressing the risk of not having a security policy (e.g. ISO 27002, chapter 5)

Question

How do I express non-compliance to ISO 27002 chapter 5 as a risk?

The basic principle of an ISMS according to ISO 27001 is a risk-based approach. Following this, every control of Annex A (ISO 27002) needs to be evaluated and included or (with reason) excluded in the SOA statement.

For the practical controls, that is trivial. But I would like to express the early chapters which basically deal with having the ISMS and its documents, as risks (and preferably, quantify them).

At this time, my best idea is to define a meta-risk of not having a unified, defined approach to security. However, this does not create any business risks by itself. I could argue that it raises the probability of other risks.

I'm looking for other ideas to approach this problem. If I want to express, say, non-compliance to ISO 27002 chapter 5.1.1 as a risk - what are possible ways of doing so?

Answer 1

This question has two type of answers. One, that directly addresses it. The second, questions the question itself.

Let's discuss them one by one.

To answer your question, organizational risks to its information will need systematic approach that cannot be done in an ad-hoc manner. They need to be thought through and managed appropriately. Hence the need for a management system (a system of processes to manage security of your information).

Now, a risk assessment exercise shouldn't cite absence of a control as a risk. That, in my humble opinion, is not the correct way to do risk assessment (you don't cite "lack of lock" as a risk. You say "possible burglary" as a risk). That is also the reason for your confusion (no dis-respect intended), because your mind somehow knows intuitively that this is not the right way. This, in fact, is the opposite view. If you take this view, you may end up creating a system which will either be discarded by stakeholders or you will face stiff resistance (because it is not intuitively understood, as it has not been designed in that manner). This is also one of the reasons why ISO 27001 documentation in a company sometimes look different from the actual practice!

A better option is: -

• Define your business and its components. (context)
• Identify information critical to your business. This also includes your legal, contractual, obligations related to the information (e.g., some countries have laws that require you to keep financial data for last 10 years. another example, a contract with your customer stipulating that you keep his data separated from all other competitors that you are serving, etc.)
• Draw a flow of information in your company (this is a very big exercise and could probably take a lot of time)
• Identify risks that could harm confidentiality, integrity, and availability of your information. Here, you can take help from vulnerability assessment tools and get a penetration test done for your network that contains the information you are trying to protect. You can use the VAPT report as input to the risk assessment.
• No company has 0 controls. You must be having some controls already present in your system. Record them against the relevant risks.
• Now, identify controls (refer to ISO 27001 Annexure or ISO 27002 for details), and put them across each risk.
• Prepare an action plan for the risks.
• Implement the action plan.

I am sure you will be able to fit almost all the clauses in your controls because then, they will intuitively fit.

Answer 2

As an optimist I would say: you are looking at this half-right.

You are right about the fact, that not having a security policy creates risks.

You are not right about that this does not include business risks. ISO/IEC 27000 itself says under chapter 3.6:

A large number of factors are critical to the successful implementation of an ISMS to allow an organization to meet its business objectives. Examples of critical success factors include the following:

a) information security policy, objectives, and activities aligned with objectives;

To correct your question further: The risk the organization is facing is not being not compliant with the ISO norm, the risk lies in the consequences that ensue from not having a security policy.

What are those consequences? These are threats that the respective organization might face because of the non-existence of a security policy. ISO27005 has some examples in Annex C under "Compromise of information" or "Unauthorised actions". See Annex D for pairing with vulnerabilities to make things perfectly clear.

For example:

Lack of procedures for classified information handling - Error in use

This vulnerability and the paired threat are corresponding to a missing policy for handling classified information. An organization needs a policy like that, which describes how classified information is handled and who has access to it under what circumstances etc. After a policy has been worked out and presented to all employees, is has to be enforced^{in varying degrees}.

If there is no policy -> it can't be enforced -> there can't be any procedures -> classified information will be handled poorly => for instance: employees don't shred secret files before throwing them away.

^{(You can find all this in chapter 8.2 in the ISO/IEC 27002 norm.)}

So how do you describe the risk in the end?
Exactly like you would describe any other risk. The only difference is, that this one is much more impactful. Just follow the risk assessment process in ISO/IEC 27005 and imagine an organization that has no security policy.

It's all in the norms, you just have to look know where.

Answer 3

Without a unified, defined approach to security, the business, personnel and processes continue to provide a given business function without any frame of reference for how they should contribute to the on-going security of the business.

This is a risk in that there is a lack of coherent guidance or frameworks to ensure processes are securely implemented, maintained, reviewed, regression tested and improved.

Without policies, everything is organic, ad hoc, chaotic. If it can be reviewed and demonstrated to be structured and aligned to industry best practice, that would likely only be by chance.

Answer 4

To the extent that I understand it, your approach seems sound (although I don't work in an ISO 27002 environment). The point where I disagree is when you state that there is no business risk to not having a security strategy.

If you don't have a security strategy, then you cannot invest rationally in security. In the absence of a coherent approach and goal/target state, your security investments will be allocated arbitrarily. Some areas will be neglected, while others will be duplicated. Adversaries will let you know where you've failed to invest.

If you don't have a strategy, the probability that security will impede/impair your mission is so high as to be a virtual certainty.

As I said, I don't work in an ISO environment, but that would be my approach. Hope it helps you at least a little bit.

Answer 5

In addition to all of the above great answers, there is also the reputational risk to not having an information security program (certified or otherwise). That reputational risk could affect sales because customers are frequently looking for security certifications with their software vendors.

In regulated industries, lack of a formalized security program could lead to fines or other penalties that affect an organization's ability to grow or execute on key initiatives.