Risk Frameworks

You, RiskRisk ManagementSecurity
Back

Introduction

The types of risks modern organizations have to contend with are increasing (Al-Ahmad & Mohammad, 2013). This paper will examine various frameworks and standards for managing risk, such as ISO/IEC 271001 (ISO 27001), COBIT, OCTAVE, and ITIL. Specifically, the effectiveness of ISO 27001 at managing risk will be critically evaluated.

Risk Frameworks

There are multiple sets of standards and frameworks that exist to help organizations manage risk (Al-Ahmad & Mohammad, 2013). This range of choices can introduce complexity for businesses that need to choose between several options. This section will examine Control Objectives for Information and related Technology (COBIT), Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), Information Technology Infrastructure Library (ITIL), and International Standards Organization 27001 (ISO 27001).

COBIT

COBIT was developed and continues to be maintained by the Information Systems Audit & Control Association (ISACA) (Al-Ahmad & Mohammad, 2013). According to the COBIT documentation, the framework was created to be “business-focused, process-oriented, controls-based and measurement-driven” (IT Governance Institute, 2007, p. 10). The framework groups IT operations into 34 processes (IT Governance Institute, 2007). One key consideration for organizations deciding which framework to use is that COBIT does not define how information security risk assessments should be performed (Al-Ahmad & Mohammad, 2013). Instead, it attempts to establish a fundamentally strong IT practice for organizations (Al-Ahmad & Mohammad, 2013).

OCTAVE

OCTAVE consists of the following three main phases: “Build asset-based threat profiles,” “Identify infrastructure vulnerabilities,” and “Develop security strategy and plans” (Mackita, 2019, Section 2.1). Each of these three phases contains several sub-processes for a total of eight processes (Mackita, 2019). OCTAVE categorizes threats generally into one of the following four categories: network-based, physical, system, and other (Butcher-Powell, 2006). Researchers such as Al-Ahmad and Mohammad (2013) have suggested that the OCTAVE model may be the most appropriate for larger organizations because of the level of overhead effort that it necessitates.

In order to assuage this issue for smaller organizations, there are multiple variations of OCTAVE, such as OCTAVE-S and OCTAVE-Allegro (Al-Ahmad & Mohammad, 2013). OCTAVE-S was specifically designed for smaller organizations, and OCTAVE-Allegro offers a more efficient approach to information security (Al-Ahmad & Mohammad, 2013). It’s almost important to note that the OCTAVE model features an emphasis on threat modeling (Mackita, 2019).

ITIL

ITIL should not necessarily be seen as a risk management framework for information security but rather as a governance framework for IT (Al-Ahmad & Mohammad, 2013). Researchers have suggested that some of the main motivators for organizations to adopt ITIL include a desire for IT units to improve service quality, customer satisfaction, and value delivery for the business (Al-Ahmad & Mohammad, 2013).

ITIL is based on the idea that information technology business units are service providers to their respective organizations (Al-Ahmad & Mohammad, 2013). Building on this idea, ITIL provides a catalog (or library) that tries to encompass everything related to provisioning IT services (Al-Ahmad & Mohammad, 2013). Another central idea behind ITIL is that there should be a continuous focus on monitoring and improvement for all IT service offerings (Al-Ahmad & Mohammad, 2013).

ISO 27001

ISO 27001 is known as the international standard for IT risk frameworks (Lopes et al., 2019). According to Al-Ahmad and Mohammad (2013), the purpose of this standard is to outline the requirements for operations related to Information Security Management Systems. Lopes et al. (2019) suggest that ISO 27001 helps organizations identify and eliminate threats to their information security practices. Additionally, it helps organizations truly understand the threats that they must contend with (Lopes et al., 2019). Researchers have even suggested that the ISO 27001 standard may help cost-reduction efforts related to security and non-security business functions (Lopes et al., 2019).

Some researchers have also suggested that an ISO 27001 certification is a helpful preliminary step for organizations striving to achieve GDPR (General Data Protection Regulation) compliance (Lopes et al., 2019). This is an important feature to highlight, as GDPR may be a regulatory requirement depending on the jurisdiction in which the organization operates. Organizations that must comply with GDPR may consider implementing ISO 27001, as GDPR recommends that organizations use such certification frameworks to provide assurance about their information security practices (Lopes et al., 2019). Additionally, the scope of data covered in ISO 27001 is broader than the data covered in GDPR (Lopes et al., 2019). Lopes et al. (2019) also point out that the majority of controls recommended by GDPR are also covered in ISO 27001.

Conclusion

Risk management is an important part of information security. Organizations can leverage frameworks and standards, such as the ones discussed in this paper, to help them develop strong risk management practices. ISO 27001 is a robust framework that organizations can use to enhance their risk management and information security practices; however, the effectiveness of the standard can vary depending on organizational needs. For organizations where compliance, structured security management, and international recognition are the highest priority, ISO 27001 may be an effective choice. Exploring or combining with other frameworks might yield better results for organizations seeking flexibility or integration with broader business strategies. The key lies in understanding the organization's unique needs, the industry's regulatory landscape, and the strategic alignment of security with business goals.

References

Al-Ahmad, W., & Mohammad, B. (2013). Addressing information security risks by adopting standards. International Journal of Information Security Science, 2(2), 28–43. http://www.ijiss.org/ijiss/index.php/ijiss/article/download/20/pdf_5

Butcher-Powell, L. M. (2006). Better Securing an Infrastructure for Telework. Journal of Cases on Information Technology, 8(4), 71–86. https://doi.org/10.4018/jcit.2006100106

IT Governance Institute. (2007). COBIT 4.1. In www.itgi.org. Retrieved September 14, 2024, from https://ucilnica.fri.uni-lj.si/pluginfile.php/76917/mod_folder/content/0/Cobit%204.1.pdf?forcedownload=1

Lopes, I. M., Guarda, T., & Oliveira, P. (2019). How ISO 27001 Can Help Achieve GDPR Compliance. 2019 14th Iberian Conference on Information Systems and Technologies (CISTI), 1–6. https://doi.org/10.23919/CISTI.2019.8760937

Mackita, M., Soo-Young, S., & Tae-Young, C. (2019). ERMOCTAVE: A Risk Management Framework for IT Systems Which Adopt Cloud Computing. Future Internet, 11(9), 195. https://doi.org/10.3390/fi11090195

© Trevor French.RSS