Light Dark
April 10, 2018 By Christophe Veltsos 5 min read
Risk Management
CISO

“Dealing with risk is part of governance and leadership, and is fundamental to how an organization is managed at all levels.”International Organization for Standardization

In February 2018, the International Organization for Standardization (ISO) released an updated version of its risk management guidelines, ISO 31000:2018, which can be purchased for about $95. The 2018 update, which replaced the prior version from 2009, provides:

  • Updated and simplified language and reference structures;

  • A renewed focus on the key leadership role that boards and top management must play in ensuring that risk management is fully integrated at all levels of the organization; and

  • Greater attention to the cyclical and iterative nature of risk management, which underscores the notion that organizations must evaluate their risk management process in light of new information or in response to feedback about gaps that might be present in the current risk process or associated controls.

Breaking Down ISO 31000:2018

In a world where standards often weigh in at hundreds of pages, the 16 pages of ISO 31000:2018 constitute a succinct and concentrated guide to help organizations improve the way they manage their risks. The document, which can be read in about one hour, consists of four major sections:

  1. The definitions of key terms such as risk, risk management, stakeholder, risk source, event, consequence, likelihood and control;
  2. The principles of risk management — namely, that risk management is integrated, executed via a structured and comprehensive approach, customized, inclusive, dynamic, based on the best information available regarding both human and cultural factors, and continuously improved;
  3. A framework for ensuring that risk management is properly implemented, well-integrated throughout the organization, carefully designed, regularly reviewed, and continuously adapted and improved; and
  4. A section on the risk management process itself, including the traditional elements of risk identification, analysis, evaluation and treatment, bolstered by a monitoring and review element as well as a communication and consultation element — the former to improve the effectiveness and quality of the risk management process, and the latter to ensure that “factual, timely, relevant, accurate and understandable” risk information is being communicated and used for decision-making.

Five Takeaways for Boards and Top Leadership

While ISO 31000:2018 is far from the only document covering enterprise risk management, one would be hard-pressed to find a more succinct set of principles for implementing and evaluating a risk management process. But brevity isn’t just the only benefit of this document. Below are five of the top takeaways from ISO 31000:2018 for board directors and top management.

1. Executive Buy-In Is Key

The document includes clear language about the importance of strong leadership and commitment to the risk management program. Executives should ensure that the risk management process is fully integrated across all levels of the organization and strongly aligned with objectives, strategy and culture.

2. Consider Risks in Business Decisions

ISO 31000:2018 also includes reminder that boards are responsible for ensuring that risks are given adequate consideration when decisions are being made, since those risks can impact the organization’s ability to deliver value.

3. Emphasize Proper Implementation

Boards also need to ensure that the risk management process is properly implemented and that the controls have the intended effect. Board directors may not have adequate domain expertise to fully grasp the significance and impact that cyber risks present to the organization. In such cases, they should bring in an external advisor to provide context and ensure that management’s actions are in line with the strategic importance of the cyber domain.

4. Risk Management Is Not One-Size-Fits-All

The document has a clear articulation of risk management as a cyclical process with ample room for customization and improvement. But instead of prescribing a one-size-fits-all approach, the ISO document advised top leadership to customize its recommendations for the organization — in particular, its risk profile, culture and risk appetite.

5. Be Proactive

While the document does not address cyber risks specifically, it provides powerful guidance to help executives take a proactive stance on risk and ensure that risk management is integrated with all aspects of decision-making across all levels of the organization. This includes business continuity, compliance, crisis management, HR, IT and organizational resilience.

Five Takeaways for CISOs

While top leadership would obviously benefit from reading and implementing the recommendations articulated in ISO 31000:2018, chief information security officers (CISOs) can also derive value from the guidelines. Below are five takeaways for CISOs.

1. Throw Out the Techno-Babble

The document provides a common language with simple, uncomplicated definitions of risks, events, consequences and the subtle implications of terms such as probability versus likelihood. The ISO document prefers “likelihood” for its broader meaning as the “chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically.”

CISOs should align their own use of terms to ensure communications are taking place without the hindrance of complex language or, worse, techno-babble. If a metric is too complex, it should not be shared with the board. However, it might still be useful as part of a larger metric representing trend lines on the organization’s overall cyber health and resilience.

2. Know the Cyclical Nature of Risk Management

ISO 31000:2018 focuses on the cyclical nature of risk management, helping security leaders understand and control the impact of risks, especially cyber risks, on business objectives. The various elements of the guidelines — from the principles to the framework and process — converge to improve and strengthen the organization’s ability to evaluate, communicate and consider risks in business decisions, and to select controls to help mitigate or transfer risks to fit within organizational tolerances.

3. Use the Best Available Information

Much of risk management is centered on the best available information, with all the ambiguity and imperfections the term implies. Instead of seeking to only share absolute risk information, CISOs should embrace this nebulous understanding and reflect on the cyber risk data they provide to solidify their role as effective advisors to the business.

The data CISOs provide should be relevant and understandable, delivered within a reasonable time frame and qualified with appropriate statements regarding its accuracy. This is especially true when responding to a cyber incident because the quality of the information that is initially available is often very different from the data revealed by a forensic review.

4. Measure Success

The guidelines also emphasize the value of measuring, evaluating and improving the risk management system itself. The idea isn’t to get everything right the first time around, but to improve every time the cycle is completed. Even imperfect risk data can be useful, as long as it is presented along with a timeline showing a trend. Flat trend lines might be acceptable for some risks and controls, whereas for others, top management and board directors should expect to see clear signs of progress. Ultimately, CISO reports should provide quality information to executives.

5. Engage Top Leadership in Risk Management

The ISO guidelines, together with the “Director’s Handbook on Cyber-Risk Oversight,” published by the National Association of Corporate Directors (NACD), outline a road map to help CISOs engage with top management on the governance of cyber risks. Both of these documents were created for business leaders, but they are also useful resources to help CISOs guide the thinking and activities of executives.

Ready to Get Started?

A companion summary of the changes outlined three action items to help CISOs and business leaders get on the path to improved risk management, which are outlined below.

  1. “Be aware of your organization’s key objectives”: Having clearly articulated objectives is key to identifying risk management targets and requirements.
  2. “Assess your current governance structure”: This helps business leaders ensure that lines of reporting and roles/responsibilities are adequate, that the board has unobstructed access to CISOs and that CISOs have proper visibility and support.
  3. “Define your level of commitment”: Organizations should precisely state and share their commitment to the risk management process, and consciously evaluate both their risk tolerance and where they should be on the risk appetite scale.

Whether you’re ready to implement your first risk management process or looking to improve an existing one, the ISO 31000:2018 guidelines can help manage uncertainty while protecting value. When it comes to cyber risks, organizations cannot afford to take a wait-and-see approach.

 |  |  |  |  |  |  | 
Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

More from Risk Management
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

July 10, 2024

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature