1

I would like to apply ISO 27001 best practices for a company that has not completed its final online architecture yet and it is still under development phase. However, they pretty much know which technologies/systems (mainly on cloud) to be used but connections between several pieces is not finalised, as well as several security related implementations like WAF etc. Just to note everything is on cloud hosted by a cloud provider that is already ISO27001 certified for all services it provides.

The question is that if it is ok to apply risk methodology based on asset-threats-vulnerabilities and complete the required documents as suggested by several ISO27001 toolkits. This methodology is still valid for ISO 27001 and it is straightforward to apply, but obviously, this is going to be entirely qualitatively, in a sense that no penetration testing can be applied to uncover potential technical vulnerabilities and the development is not final to perform code reviews. Additionally, this risk methodology is based on the asset inventory which undergoes daily changes.

Is it ok to proceed in this way for ISO certification for a snapshot of the existing asset inventory that includes many of the deployed assets?

Hashed_Then_Encrypted
  • 83
  • 5

3 Answers3

1

Yes it is OK to proceed this way for ISO certification. The standard requires that risk assessments are performed at regular intervals or when significant changes occur. Your certification auditor may put it to you that changes to your asset inventory constitute significant change. The Statement of Applicability is based on the risk assessment. The word Applicability is key. What applies now. This may change several times based on, as you say, changing assets or penetration testing. I hope that helps. Good luck!

Conor F
  • 101
  • 5
  • Yes but significant change implies no certification is awarded...right? – Hashed_Then_Encrypted Oct 17 '16 at 06:17
  • If there is a significant change to the asset inventory that would imply the risk assessment process is performed if you adopt the assets-threats-vulnerabilities approach. I do not see why certification would not be awarded just because the organisation is changing. – Conor F Oct 18 '16 at 22:26
1

Short answer - Yes you can do. But please don't do it.

There is a reason why ISO changed the risk assessment methodology from an asset based to, well, anything that works. It is not practical to build / keep / maintain an accurate asset inventory (as you know firsthand). Also, maintaining asset based risk is not the goal. The goal is to establish a process for risk assessment that helps in identifying risks to company information.

M S Sripati
  • 99
  • 4
0

Penetration testing has nothing to do with qualitative vs. quantitative risk analyis, you can absolutely do a proper quantitative analysis using estimates, if you use methods that allow you to include confidence or uncertainty (e.g. PERT, or the FAIR approach, or the distribution curve based methods Hubbard outlines in his book).

That said, the ISO 27001 is basically ok with every risk assessment that is based on something better than astrology. It's requirements are detailed in the norm, and are basically that whatever method you use it must produce consistent, repeatable results.

If your method is asset-based, that means changes to the asset inventory trigger updates to the risk assessment. Your call if you want to do that daily.

You might also be operating on a too low level of abstraction. I don't think that the daily changes are considerable. The risk assessment should not care much for three new notebooks and two new mobile phones. The ISO requirement is updates after substantial changes. So you can put your triggers higher than that and update monthly or whatever fits your business impact analysis.

So yes, you can proceed with a snapshot, and then set plausible trigger points for updates. Not every minor update to the asset inventory needs to lead to a new risk assessment, but you should have a definition of which threshold means a "substantial" change.

Tom
  • 10,124
  • 18
  • 51