Can OSSTMM RAVs be the base for a risk assessment methodology compliant with the new ISO 27001:2013 and ISO 31000?

Question

The calculation of RAVs in OSSTMM seem very useful as a security metric but, can they be the base for a risk assessment methodology compliant with the new ISO 27001:2013 and ISO 31000?

ISO 27001:2013 risk assessment requirements are aligned with ISO 31000 so I think that we can focus on ISO 31000.

ISO 31000 establish the following phases:

• Risk identification
• Risk analysis
• Risk evaluation
• Risk treatment

I think that OSSTMM testing can be matched against risk identification (process of finding, recognizing and describing risks).

The risk analysis phase (process to comprehend the nature of risk and to determine the level of risk) and risk evaluation (process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable) can be matched with the calculation of the attack surface and RAV.

And risk treatment phase could be an additional phase where using the classification of vulnerabilities in OSSTMM we choose relevant controls that reduce the risk (attack surface, RAV).

Is this matching correct for you?

Is it possible to use OSSTMM, attack surface and RAV calculation as an ISO 31000 compliant risk assessment methodology?

There exist any fundamental requirement in ISO 31000 or ISO 27001:2013 that makes impossible the use of RAV as its risk assessment methodology?

Answer 1

I only have auditing & review experience for ISO 27001 compliance but not for 31000, so my answer will focus on this one. To summarize, the answers are:

• Is the matching correct? Yes.
• Is it possible to use OSSTMM as a risk assessment methodology for ISO 27001/31000 ? It depends, see below.
• Any fundamental requirement that makes it impossible? No.

---

ISO 27001 Risk Assessment Methodology

First, it should be noted that there is no requirement in ISO in the risk assessment methodology. The ISO standard typically defines what an organisation should do as opposed to how to do it. So you are correct and you can use the OSSTMM, attack surface and RAV calculation as your methodology for risk assessment.

For example in ISO 27001:2013, we can see in chapter 8.2 "Information security risk assessment", that:

The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).

The organization shall retain documented information of the results of the information security risk assessments."

And the criterias in chapter 6.1.2 are:

6.1.2 Information security risk assessment

The organization shall define and apply an information security risk assessment process that:

a) establishes and maintains information security risk criteria that include:

1) the risk acceptance criteria; and

2) criteria for performing information security risk assessments;

b) ensures that repeated information security risk assessments produce consistent, valid and comparable results;

c) identifies the information security risks:

1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and

2) identify the risk owners;

d) analyses the information security risks:

1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;

2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and

3) determine the levels of risk;

e) evaluates the information security risks:

1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and

2) prioritize the analysed risks for risk treatment.

Using OSSTMM RAV in an ISO 27001 compliant Risk Assessment

Now as you mention, the important part here is the probabiliy / likelihood factor. It is stated in ISO 27001:2013 that the methodology used for risk assessment must:

2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1);

The OSSTMM v3 describes RAV as a scale measurement of the attack surface. It is not intended to measure risk, instead it is used as an operational metric that is much more detailed and pragmatic than traditional risk calculation like:

Risk = Threat x Vulnerability x Asset

OSSTMM purposely avoid the likelihood factor as it is very biaised and not necessarily objective. Then RAV cannot be used as-is to perform a probabilistic risk assessment, which is indeed a requirement of the ISO standard, and the answer to your second question would then be no.

However, based on my experience, companies tend to adapt the Risk Assessment methodology / framwework they are using, being OSSTMM or any other methodology (e.g. Octave, NIST framwerork, TRA etc.), to fit with their specific context and needs.

So at the end, you would have to integrate a likelihood factor to OSSTMM/RVA to use it as an ISO 27001 compliant RA methodology. It does not have to be complicated, again ISO doesn't say how you must do it.

Other considerations

On a side note, a typical recommendation is to align each department's methodology with the global/standard company risk assessment methodology, notably for calculation methods, as it basically makes life easier for management to evaluate risk on a homogenous basis. If you're not doing that, and have different methodologies in use within your company, you will have to harmonize results and sometimes will compare apples to bananas.

For this reason, I wouldn't recommend to use OSSTMM RAV as the methodology for Risk Assessment. It's too specific and operational to be efficiently matched and compared with other risks elsewhere in the company.