Today I find myself poring through ISO/IEC 27000:2018 looking for quotable snippets to use on our awareness posters in January. Although there’s plenty of good content, I can’t help but notice a few rough edges, such as this:
“Conducting a methodical assessment of the risks associated with the organization’s information assets involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materializing to information assets, and the potential impact of any information security incident on information assets. The expenditure on relevant controls is expected to be proportionate to the perceived business impact of the risk materializing.” [part of clause 4.5.2].
First off, here and elsewhere the ‘27000 text uses the term “information asset” which is no longer defined in the standard since the committee couldn’t reach consensus on that. Readers are left to figure out the meaning for themselves, with the possibility of differing interpretations that may affect the sense in places. The term is, or probably should be, deprecated.
Secondly, the first sentence is long and confusing – badly constructed and (perhaps) grammatically incorrect. “Vulnerabilities to” is incomplete: vulnerabilities to what? Shouldn’t that be “vulnerabilities in” anyway? Threats get mentioned twice for no obvious reason, overemphasizing that aspect. “Likelihood” is a vague and problematic word with no precise equivalent in some languages - it too should probably be deprecated. The final clause as worded could be interpreted to mean that the process is only concerned with potential impacts on information assets, whereas incidents can cause direct and/or indirect/consequential impacts on systems, organizations, business relationships, compliance status, reputations and brands, commercial prospects, profits, individuals, partners, society at large and so forth, not all of which are information assets (as commonly interpreted, anyway!).
Thirdly, do “the organization’s information assets” include personal information? Some might argue that personal information belongs to the person concerned – the data subject – not the organization that holds it. My point is that it’s ambiguous and potentially misleading.
Lastly, I don’t entirely accept the premise of the second sentence. Sure, in business terms, the total cost of controls should normally be less than the total benefits but that’s not what the clause actually says – and anyway, information security is not entirely a matter of net value: some controls are mandated or imposed on the organization.
If you think I’m being unreasonably critical or anal about this, fair enough: that’s the level of analysis typically used to justify changes to draft standards through JTC 1/SC 27. Now imagine the effort involved to review and comment on, say, ISO/IEC 27002, and to suggest changes (ideally explicitly proposing the replacement text in each case) and you’ll appreciate the time and effort involved as the international project team slogs its way laboriously through hundreds of pages of comments. It’s a wonder anything gets produced at all, let alone anything usable and as well respected as ISO27k!
The lawyers among us will probably appreciate the issue. The legal profession performs this painstaking analysis much more seriously and deeply. Even, punctuation, is ... of-concern. Each new law/regulation has to fit neatly into the existing body of legislation without causing conflicts. We’ve got it easy!