ISO 27001

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2

28

Addressing Information Security Risks by Adopting

Standards

Walid Al-Ahmad*‡, Bassil Mohammad**

*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait

**Ernst & Young, Amman, Jordan

‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]

Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,

transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,

including information technology risks. Several standards, best practices, and frameworks have been created to help

organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their

efforts to properly manage information security risks when adopting international standards and frameworks. To assist in

selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used

standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations

is put forward with further research opportunities on the subject.

Keywords- Information security; risk management; security frameworks; security standards; security management.

1. Introduction

The use of technology is increasingly covering

most aspects of our daily life. Businesses which

are heavily dependent on this technology use

information systems which were designed and

implemented with concentration on functionality,

costs reduction and ease of use. Information

security was not incorporated early enough into

systems and only recently has it started to get the

warranted attention. Accordingly, there is a need to

identify and manage these hidden weaknesses,

referred to as systems vulnerabilities, and to limit

their damaging impact on the information systems

integrity, confidentiality, and availability.

Vulnerabilities are exploited by attacks which are

becoming more targeted and sophisticated.

Attacking techniques and methods are virtually

countless and are evolving tremendously [1, 2].

In any enterprise, information security risks

must be identified, evaluated, analyzed, treated and

properly reported. Businesses that fail in

identifying the risks associated with the

technology they use, the people they employ, or

the environment where they operate usually

subject their business to unforeseen consequences

that might result in severe damage to the business

[3]. Therefore, it is critical to establish reliable

information security risk assessment and treatment

frameworks to guide organizations during the risk

management process.

Because risks cannot be completely eliminated,

they need to be reduced to acceptable levels.

Acceptable risks are risks that the business decides

to live with, given that proper assessment for these

risks has been performed and the cost of treating

these risks outweighs the benefits.

To this effect, enterprises spend considerable

resources in building proper information security

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2

29

risk management programs that would eventually

address the risks they are exposed to. These

programs need to be established on solid

foundations, which is the reason why enterprises

look for standards and frameworks that are widely

accepted and common across enterprises [4].

However, the fact that several standards and

frameworks exist make it challenging for

enterprises to select which one to adopt and the

question: “which is the best?” warrants further

investigation. The main objective of this paper is

to provide an answer to this question, thereby

assisting enterprises in developing proper

understanding of the issue and establishing

successful information security risk management

programs. This paper provides an analysis of some

existing standards and frameworks for information

security risks and consolidates various aspects of

the topic. It also presents the challenges that

frustrate information security risk management

efforts along with how leading market standards

and practices can be used to address information

security risks with insights on their strengths and

weaknesses.

Please note that the scope of this paper is

limited to the following frameworks: ISO 27001,

ISO 27002, ISO 27005, ITIL, COBIT, Risk IT,

Basel II, PCI DSS, and OCTAVE. These are the

most commonly used frameworks in the market

[5]. Other frameworks and methodologies like

RMF (by NIST) and M_o_R (by GOC) can be

considered in future work. It is also important to

mention that this paper is not intended to promote

a specific standard or framework; rather it treats

them equally. Conclusions drawn as a result of this

work are based on our detailed analyses, research,

literature review, and observations from our work

experience and engagements with clients from

various sectors in the field of information security.

The remainder of this paper is organized as

follows: section 2 highlights some related work;

section 3 details some challenges that disturb

information security risk assessments; section 4

provides an overview of the major drivers for

standards adoption; section 5 provides detailed

analyses and exploration for the standards and

frameworks in scope; section 6 details with the

strengths and weaknesses of these standards and

frameworks when used as a means to address

information security risks; section 7 captures the

selection considerations to use; section 8 provides

some recommendations along with the proposed

approach; section 9 presents a case study to

illustrate the benefits of the proposed selection

method; finally, section 10 puts forward some

conclusions and future research opportunities in

relation to our work.

2. Related Work

The literature on information security risk

management based on international standards is

scarce. The literature lacks studies that guide

organizations in selecting the standard that fits

their needs. Some research works attempt to

analyze existing information security risk

management standards, mainly ISO 27001 [6].

However, these research works focus mainly on

listing advantages and disadvantages of these

standards and how to implement and manage

them. No comprehensive studies have been done to

holistically compare various frameworks, with the

objective of providing selection criteria for the best

standard or proposing a better assessment

approach. Some papers dealt with frameworks

such as COBIT, ITIL, and ISO 17799, as means to

manage compliance requirements [7]. Ref. [8]

proposes a framework which considers global,

national, organizational, and employee standards

to guide information security management. Ref.

[9] presents framework of information security

standards conceptualization, interconnection and

categorization to raise awareness among

organizations about the available standards

(mainly ISO series).

As well as exploring existing frameworks used

in IT risk management this paper presents the

challenges facing organizations to successfully

implement information security risk assessments

and the drivers for standards adoption. The main

and novel contribution of our research work is the

proposal of a practical approach to selecting an

appropriate framework to address information

security risks.

3. Challenges to Information Security Risk
Assessments

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2

30

Some of the common challenges to information

security risk assessments are discussed briefly in

this section. In fact, these challenges represent

critical failure factors for an information risk

management program.

1) Absence of senior management commitment &

support: Management’s -in and support is a

critical driver for the success of any IT project,

including information security risk assessments.

Absence of management commitment will

result in wasting valuable resources and efforts,

producing weak evaluations, and most

importantly, will lead to ignoring the

assessment findings [10].

2) Absence of appropriate policies for information

security risk management: It is crucial to have

information security policies in place to reflect

the enterprise objectives and management

directions. Although some policies might be

created, information security risk management

policies tend to be dropped or forgotten. In a

research conducted by GAO, the US

Government Accountability Office, three out of

four detailed case studies showed that despite

the fact that firms used to have some form of

information security risk assessment approaches

practiced for several years, the risk management

and assessment policies and processes were not

documented until recently [11]. The absence of

this critical steering document will lead to

unstructured risk assessment approaches and

will openly allow unmanaged evaluations.

3) Disintegrated GRC efforts: The increasingly

popular term GRC refers to three critical areas:

Governance, Risk Management, and

Compliance. According to COBIT 4.1, IT

Governance is defined as “the responsibility of

executives and the board of directors, and

consists of the leadership, organizational

structures and processes that ensure that the

enterprise’s IT sustains and extends the

organization’s strategies and objectives” [12].

Risk management is a process through which

management identifies, analyses, evaluates,

treats, communicates, and monitors risks that

might adversely affect realization of the

organization’s business objectives. Compliance

is about making sure that external laws,

regulations, mandates and internal policies are

being complied with at a level consistent with

corporate morality and risk tolerance.

Governance, risk, and compliance should

always be viewed as a continuum of interrelated

functions, best approached in a comprehensive,

integrated manner. The disintegration results in

increased failure rates, waste of resources, and

increased overall assurance cost.

4) Improper assessments management: Despite the

importance of security risk assessments, they

are mostly not managed as projects and merely

considered as part of IT normal operations.

Considering security risk assessments as part of

IT routine assignments will exclude these

assessments from business review and

consequently will result in a definite disconnect

between management and their enterprise

information security assessments. This

exclusion will also increase the possibilities of

executing over-budget assessments that will

only cause additional efforts and resources to be

wasted.

5) Assets ownership is either undefined or

unpracticed: In ISO 27001 “the term ‘owner’

identifies an individual or entity that has

approved management responsibility for

controlling the production, development,

maintenance, use and security of the assets.

[13]. This definition entails major responsibility

granted to the person who is assigned the

ownership which includes making sure that

proper controls are actually implemented in

to protect the asset. Information security

standards, best practices and mandates like ISO,

COBIT, and ITIL require that information

assets are identified, inventoried, and ownership

is assigned. This is crucial for the success of

any information security assessment. Most

organizations fail to develop comprehensive

information assets inventories and accordingly

do not assign ownership [14].

6) Limitations of existing automated solutions:

Software solutions for information security risk

assessment are developed to aid in the

automation of this process and to make it more

efficient. In a detailed comparison conducted by

“Risk Assessment Accelerator”, seven common

solutions were compared with respect to more

http://en.wikipedia.org/wiki/Risk_Management

http://en.wikipedia.org/wiki/Compliance_(regulation)

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2

31

than forty different areas [15]. Features like

ease of use, multi-language and client-server

architecture support were highlighted as

existing limitations in four up to five of these

solutions. Three out of the seven compared

solutions provide limited customization

capabilities for both built-in inventories (for

risks, vulnerabilities and threats) and the

generated dashboards. All these weaknesses and

limitations degrade enterprises’ efforts to have

efficient and reliable information security risk

assessment requirements documentation.

7) Existence of several IT risk assessment

frameworks: The existence of many information

security risk management and assessment

frameworks add to the ambiguity and challenge

of what is the best one to use. As a matter of

fact, analyses of exiting risk assessment

frameworks show that there is no one-size-fits-

all solution to this issue as it is hard to develop

a single precise document that will address the

needs of all enterprises given their variant

natures and requirements.

4. Drivers for Standards Adoption

In to address their information security

risk management and assessment challenges,

enterprises adopt internationally accepted

frameworks or best practices. Standards in general

are meant to provide uniformity that would ease

the understanding and management of concerned

areas. Businesses find themselves in need to adopt

standards for various reasons which vary from

business requirements to regulators and

compliance mandates. Establishment of proper

corporate governance, increasing risk awareness

and competing with other enterprises are some

business drivers to mention. Some firms pursue

certifications to meet market expectations and

improve their marketing image. A major business

driver for standards adoption is to fill in the gaps

and lack of experience in certain areas where firms

are not able to build or establish proprietary

standards based on their staff competencies [16].

Providing confidence to trading partners,

stakeholders, and customers, reducing liability due

to unimplemented or enforced policies and

procedures, getting senior management ownership

and involvement and establishing a mechanism for

measuring the success of the security controls are

some other key drivers for the adoption of

standards.

5. Leading Market Best Practices Standards

The conclusion section should emphasize the

main contribution of the article to literature.

Authors may also explain why the work is

important, what are the novelties or possible

applications and extensions. Do not replicate the

abstract or sentences given in main text as the

conclusion.

In this section, an overview is presented of a

number of the more important standards for

information security risk management. For detailed

information about these standards, the reader is

encouraged to consult the references provided for

them. The list of standards presented is absolutely

not complete, and as mentioned before a subset of

the existing standards are treated in this paper.

5.1. ISO 27000 Set

The ISO 27000 is a series of standards, owned

by the International Standards Organization,

focusing on information security matters. For the

purposes of this work, ISO 27001, ISO 27002, and

ISO 27005 will be explored to highlight their

strengths and weaknesses in relation to current

demands for effective and robust frameworks for

information security risk assessments.

ISO 27001: The ISO 27001 standard is the

specification for an Information Security

Management System (ISMS). The objective of the

standard is to specify the requirements for

establishing, implementing, operating, monitoring,

reviewing, maintaining, and improving an

Information Security Management System within

an organization [13]. It is designed to ensure the

selection of adequate and proportionate security

controls to protect information assets. It is seen as

an internationally recognized structured

methodology dedicated to information security

management.

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2

32

The standard introduces a cyclic model known

as the “Plan-Do-Check-Act” (PDCA) model that

aims to establish, implement, monitor and improve

the effectiveness of an organization’s ISMS. The

PDCA cycle has these four phases:

 Plan – establishing the ISMS

 Do – implementing and operating the ISMS

 Check – monitoring and reviewing the ISMS

 Act – maintaining and improving the ISMS

Organizations that adopt ISO 27001 in their

attempt to pursue an effective means for

operational information security risk management

overlook the fact that this standard was designed to

be used mainly as an ISMS framework – at the

high level, not operational level – founding proper

bases for information security management. ISO

27001 document mentions valuable details on

information security risk assessment – mainly in

the statements 4.2.1.C thru 4.2.1.H that can be

used as selection criteria for a proper information

security risk assessment approach that builds upon

the controls list proposed by the standard.

ISO 27002: ISO 27002 is a code of practice

that provides suggested controls that an

organization can adopt to address information

security risks. It can be considered an

implementation roadmap or extension to ISO

27001. As stated in the standard document, the

code of practice is established to provide

“guidelines and general principles for initiating,

implementing, maintaining, and improving

information security management within an

organization” [17]. The controls listed in the

standard are intended to address the specific

requirements identified via a formal risk

assessment. The standard is also intended to

provide a guide for the development of

“organizational security standards and effective

security management practices, and to help build

confidence in inter-organizational activities” [18].

ISO 27002 as the Code of Practice is best suited to

be used as a guidance and direct extension to ISO

27001. ISO 27002 is used by enterprises as the

sole source of controls and a means for

information security risk assessment, however, not

all controls are mandated as firms’ structures and

businesses vary. Controls selection must be done

based on detailed and structured assessment to

determine which specific controls are appropriate

and which are not.

This standard contains guidelines and best

practices recommendations for these 10 security

domains: Security Policy; Organization of

Information Security; Asset Management; Human

Resources Security; Physical and Environmental

Security; Communications and Operations

Management; Access Control; Information

Systems Acquisition, Development and

Maintenance; Information Security Incident

Management; Business Continuity Management;

and Compliance.

Among these 10 security domains, a total of 39

control objectives and hundreds of best-practice

information security control measures are

recommended for organizations to satisfy the

control objectives and protect information assets

against threats to confidentiality, integrity and

availability.

ISO 27005: ISO 27005 standard was proposed

to fill in the gaps existing in ISO 27001 and ISO

27002 in terms of information security risk

management. The standard builds up on the core

that was introduced in ISO 27001 – reference

statements 4.2.1.C thru 4.2.1.H – and elaborates by

identifying inputs, actions, implementation

guidelines, and outputs for each and every

statement. However, during our research we

realized that the adoption of this standard as a

means for information security risk management is

minimal. This was evident in “The Open Group”

efforts to support ISO 27005 adoption by releasing

a free detailed technical document – called

ISO/IEC 27005 Cookbook – that uses ISO 27005

as a cornerstone for a complete risk management

methodology [18, 19]. ISO 27005 is not intended

to be an information security risk assessment

methodology [20].

The standard has six annexes that are all

informative but considered of a major value

extension to the standard. With proper

customization, these annexes along with the ISO

27005 body can be used as the main assessment

methodology for security risks.

5.2. IT Infrastructure Library (ITIL 3.0)

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2

33

ITIL is one of the IT frameworks used as a best

practice adopted to properly manage IT services.

ITIL perceives any effort or action done by IT in

support to the organization as a service that has

value to customers or businesses. The ITIL library

focuses on managing IT services and covers all

aspects of IT service provisioning starting from

service strategy, design, transition, operation, and

implementation. It also highlights the continual

monitoring and improvement aspect for each and

every service.

ITIL does not introduce itself as a framework

for information security risk management.

However, as an IT governance framework, having

it implemented in an enterprise will provide

assurance and indication on the organization’s IT

maturity. Addressing IT risks associated with

incident, change, event, problem, and capacity

management would definitely minimize related

information security risks as well [21, 22].

The drivers for ITIL adoption in organizations

were subject to analyses and study by several

researches. A survey conducted by itSMF (IT

Service Management Forum) showed that ITIL

was adopted by different industry sectors [23]

including education, government, and financial

sectors amongst others. The ITIL status survey for

2009 [24] showed the increasing adoption of ITIL

version 3.0 and elaborated on the major drivers

that are causing this adoption. This includes

improving service quality, customer satisfaction

and establishing IT stability and successful value

delivery for business. ITIL modularity adds to its

adoption popularity. Based on the enterprise

current priorities, the firm can select to focus on

service operations rather than service strategy

which typically needs more time to mature. The

implementation of ITIL can be implemented

gradually in phases.

5.3. COBIT 4.1 & Risk IT

Control Objectives for Information and related

Technology (COBIT), developed and owned by

the Information Systems Audit & Control

Association (ISACA), is one of the most

increasingly adopted information technology

frameworks for IT Governance. COBIT focuses

on defining IT control objectives and developing

the controls to meet them. It is made of 34

processes that manage and control information and

the technology that supports it [12].

COBIT is adopted by enterprises from various

industry sectors [25] which include IT consulting

firms, education, financial institutions,

government, healthcare, utilities and energy. To

get closer understanding on how various

enterprises perceive COBIT, thirty case studies

were reviewed and analyzed. The case studies

showed that COBIT was used to create the needed

alignment between business and IT, create the IT

Governance framework, improve IT processes and

establish the IT risk management organization.

Other enterprises used COBIT to meet their

compliance needs and requirements. It was

realized from the case studies that financial

institutions adopt COBIT for their internal IT audit

efforts and risk assessments. They also used it to

create IT policies and procedures. Other firms used

COBIT as a means to standardize IT processes and

increase their effectiveness and maturity level.

COBIT was also used as a means to conduct audit.

COBIT does not provide a methodology to

conduct information security risk assessments but

rather establishes the foundation for having a solid

IT organization in the firm.

ISACA recognized the importance and need

for a comprehensive IT risk management

framework and as a result developed the Risk IT

framework. According to the Risk IT framework

document “The Risk IT framework complements

ISACA’s COBIT, which provides a

comprehensive framework for the control and

governance of business-driven IT-based solutions

and services. While COBIT sets good practices for

the means of risk management by providing a set

of controls to mitigate IT risk, Risk IT sets good

practices for the ends by providing a framework

for enterprises to identify, govern and manage IT

risks [26].

Risk IT provides an end-to-end, comprehensive

view of all risks related to the use of IT and a

similarly thorough treatment of risk management,

from the tone and culture at the top, to operational

issues. It enables enterprises to understand and

manage all significant IT risk types. Risk IT

follows the process model used in COBIT and has

three major domains: 1) Risk Governance which

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2

34

focuses on the establishment and maintenance of

common risk view, and making risk-aware

business decisions; 2) Risk Evaluation which deals

with data collection, risks analyses and

maintaining risk profile; 3) The Risk Response

component articulates risk, manages risk and

reacts to all adverse events identified [26].

Given that Risk IT is still new, its adoption

across enterprises is not yet realized, however, it is

expected to take more attention and focus in the

near future taking use of the wide acceptance and

adoption of COBIT.

5.4. Other Frameworks

In this section, we briefly discuss other

standards and regulations for information security.

Some industries, such as banking, are regulated,

and the guidelines or best practices put together as

part of those regulations often become a de facto

standard among members of these industries.

Basel II: Basel II is the most commonly

adopted directive across the financial institutions.

The reason behind this is the fact that this directive

has become a mandated regulation that all

financial institutions need to comply with. Its core

is about how much capital banks need to put aside

to guard against the types of financial and

operational risks banks face [27]. It focuses on

operational risks as opposed to information

security risks. According to Basel II, operational

risk (Ops Risk) is any risk that results from failure

in any of the following areas: system, process,

human or external attack. This definition implies

that Basel II has an IT dimension that needs to be

properly managed. This area was subject for

detailed research and several publications tried to

set clear controls and control objectives to mitigate

the related risks. ISACA led this effort and

developed a detailed framework in this regards

[28].

PCI DSS: Payment Card Industry Data

Security Standard (PCI DSS) [29], currently in

version 2.0, is a standard that consists of twelve

domains and was created by payment brands

leaders to help facilitate the broad adoption of

consistent data security measures on a global basis.

Proper implementation of PCI DSS assists in

building and maintaining a secure network,

protecting cardholder data, maintaining a

vulnerability management program, and

implementation of solid access control measures.

Compliance with PCI requirements is mandated

for any party that stores or transmits credit or debit

card data. It assists enterprises to manage

information security risks, reduces losses resulting

from fraud, and protects consumer data. PCI DSS

is not intended to be used as an information

security risk management or assessment

framework; however, while efforts are spent

towards fulfilling its requirements overall

information security maturity level is leveraged

making it easier to achieve better security

assessments. For organizations that already have

ISMS (ISO 27001) implemented, PCI DSS

compliance is straight forward.

OCTAVE Set: OCTAVE (Operationally

Critical Threat, Asset and Vulnerability

Evaluation), developed at the CERT Coordination

center at Carnegie Mellon University, is a detailed

information security risk assessment methodology;

it consists of tools, techniques and methods to

conduct risk assessments. It is a formal and

detailed set of processes, which assist in ensuring

that risks are identified and properly analyzed,

…