Introduction

• ISO 27000 terminology.
• Definitions of the Threat. Vulnerability. Risks.
• Availability, Integrity, and Confidentiality requirements: Taking into account traceability/evidence.
• Review of regulatory and standards constraints (GDPR, LPM/NIS, PCI DSS, etc.).
• Role of the CISO vs. the Risk Manager.
• The 31000 standard, from interest in an “umbrella” standard to a universal reference source.

The concept of “Risk”

• Identifying and classifying risks.
• Operational, physical, and logical risks.
• The consequences of risk (financial, legal, human, etc.).
• Risk management (prevention, protection, risk evasion, transfer).
• Insurability of a risk, financially calculating the transfer to insurance.

Risk management according to the ISO

• The method of the 27001:2013 standard and its “Risk Management” process.
• Initially assessment in the Plan phase of section 6: Planning.
• The 27005:2018 standard: Information Security Risk Management.
• Implementing a PDCA process for risk management.
• Context, assessment, treatment, acceptance, and review of risks.
• Steps of risk analysis (identification, analysis, and assessment).
• Preparing the Statement of Applicability (SoA) and the action plan.
• Sharing risks with third parties (cloud, insurance, etc.); Domain 15 of ISO 27002.

Risk analysis methods

• MEHARI methods (2010, PRO, and Manager).
• Compliance-based approach vs. risk scenario approach.
• Taking into account sophisticated intentional threats like APTs.
• The goals of EBIOS RM (Identifying the security requirements, Being in compliance, Identifying and analyzing, etc.).
• Activities of the method.
• CRAMM, OCTAVE, etc. History and rest of the world.

Conclusion and choosing a method

• How do you choose the best method?
• Knowledge bases (threats, risks, etc.)
• Convergence onto ISO, the need for an update.
• Being or not being in the “ISO spirit”: Constraints of the PDCA model.
• A comprehensive method or project-specific method.
• The real cost of a risk analysis.