Welcome to the SecAware blog

I spy with my beady eye ...

23 Apr 2022

EU to standardise on ISO 31000 and ISO/IEC 27005?

"Risk management procedures are fundamental processes to prepare organisations for a future cybersecurity attack, to evaluate products and services for their resistance to potential attacks before placing them on the market, and to prevent supply chain fraud" says ENISA in the report "RISK MANAGEMENT STANDARDS - Analysis of standardisation requirements in support of cybersecurity policy" published in March 2022.

Not to be left behind, ENISA - originally the European Network and Information Security Agency (an official agency of the EU) - leapt aboard the cyber bandwagon, rebranding itself "The European Union Agency for Cybersecurity" when it became a permanent EU agency under the European Cybersecurity Act, regulation (EU) 2019/881.

Despite the vague title, RISK MANAGEMENT STANDARDS in fact primarily concerns "risk management [and] security of ICT products, ICT services and ICT processes" where 'risk' means "any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems." Apparently, "The main goal of risk management is (in general) to protect ICT products (software, hardware, systems, components, services) and business assets, and minimise costs in cases of failures. Thus it represents a core duty for successful business or IT management." In other words, the ENISA document revolves around IT risks, primarily, although it does casually mention 'enterprise risk management' which takes in operational, market, supply chain, project, strategic and other risks. 

Unfortunately, I haven't dug deep enough yet to reveal actual defiinitions of key terms such as "cybersecurity" or "sector". Evidently, we are supposed to just know what they mean. It doesn't help that the cited "Methodology for Sectoral Cybersecurity Asssessments 2021" official download appears to be broken, but consulting another source I see that it doesn't even define those terms anyway. Furthermore, an embedded diagram suggests an unconventional interpretation of 'risk' and 'exposure', while 'threat' seemingly disregards unintentional and untargeted threats such as generic malware, accidents and storms:



RISK MANAGEMENT STANDARDS outlines a wide range of [IT] risk management standards and 'methodologies' (methods), primarily relating to cybersecurity. Aside from the usual suspects (ISO/IEC 27005, ISO 31000, BS 7799-3, SP800-39 and BSI Germany Standard 200-3 based on IT-Grundschutz), it reminds us of other less-well-known approaches such as EBIOS, MEHARI, FAIR, CRAMM and FINSEC, 'sector-specific' guidance from ISO/IEC, ETSI, CEN CENELEC, OWASP and others, and mentions 'global registers' (vulnerability databases) such as MITRE CVE, NVD and CNNVD.

RISK MANAGEMENT STANDARDS provides scant coverage of critical infrastructures at the global, EU, national and organisational levels, while defence industry and IT supply chain risks are barely even mentioned. It appears to be focused on the generic IT and Internet security version of 'cybersecurity'.

RISK MANAGEMENT STANDARDS suggests that, despite standardisation, the proliferation of approaches in this area is confusing and unhelpful. Organisations use different approaches analyse, measure and address risks in different ways, leading to different information security controls for essentially the same risks.

"The following results can be observed in several organisations:

1. Lack of coordination and alignment between the divisions responsible for business risk management or information security management and ICT staff regarding risk management;

2. Lack of conformity with regard to risk management language and the application of risk management between the divisions responsible for business risk management or information security management and ICT staff."

Conversely, given the inherently uncertain nature of 'risk', and the muddle of poorly-defined terms in this area, perhaps it is a good thing that different approaches are available and no single approach predominates. So long as each approach reveals useful and valid information, collectively building a reasonably complete picture that leads to appropriate actions being taken to address the risks, that's a rational counter-argument, right?

Anyway, RISK MANAGEMENT STANDARDS essentially recommends standardising on ISO 31000 and/or ISO/IEC 27005 through EU regulations. 

Given the report's weak, biased analysis, the pickle that ISO/IEC 27005 is in at the moment, and the emphasis on yet more regulatory mandates, I'm not convinced ENISA has selected the best approach.

PS  There are numerous abbreviations, few hyperlinked references (not even for ENISA's own reports) and some annoying inconsistencies in RISK MANAGEMENT STANDARDS (e.g. there is no "ISO/IEC 31000" since it is an ISO standard, not ISO plus IEC, and the current version of ISO/IEC 27002 is the 2022 edition, not 2013 or 2014 as stated at least once).

No comments:

Post a Comment