Key Questions for Effective Cyber Risk Management From the ISO 31000:2018

The implementation of a risk-management process requires a significant investment of time, energy and resources from any organization. But how can those tasked with managing cyber risk ensure the investment worthwhile and effective?

The International Organization for Standardization (ISO) put forth its annual risk-management guidelines, ISO 31000: 2018, in February 2018. Here are the key components of the guidelines, as well as some critical questions for organizations to answer.

(Those unfamiliar with the ISO’s guidelines can read our overview.)

How Integrated Are Your Organization’s Security Practices?

What is one of the most significant determinants of success for a risk-management process? The level of commitment from top leadership and the board. At the center of ISO 31000:2018 is this very issue of commitment — and the guidelines warn that the effectiveness of the whole affair will depend on the dedication and involvement from those in charge.

Consider the following questions to assess the level of commitment from those at the top of your organization:

  • Is cyber risk management integrated into every corner of your organization? A counterproductive alternative would be to treat cybersecurity solely as an IT issue. Sadly, this is still the case in many organizations today, as evidenced by recent reports measuring cyber risks globally.

  • Are cyber risks adequately considered when organizational strategy and business objectives are being formulated? Is consideration given to the alignment of strategy, performance and security, as per the advice about enterprise risk management (ERM) from the Committee of Sponsoring Organizations (COSO)?

  • Is the current risk-management process sufficient to help your organization understand its internal and external cyber risks? How has your organization’s risk appetite changed in light of these risks? External context example: How is the political and regulatory landscape shifting (e.g., the General Data Protection Regulation [GDPR])? Internal context example: Is your organization implementing new policies or technologies that carry new risks (e.g., the Internet of Things [IoT])?

  • Who has been assigned accountability and authority for risk management? Is it a core responsibility — or simply tacked onto existing roles? Is the role visible on the organizational chart?

  • Is your organization’s approach to managing cyber risks clearly understood by all involved parties? Is it practiced the way it was envisioned? Are the capabilities of the organization and its internal culture understood by those making risk decisions?

ISO 31000:2018 also specifies the following elements of effective risk-management programs: integration, design, implementation, evaluation and improvement.

Are Key Principles of ISO 31000:2018 in Place at Your Organization?

ISO 31000:2018 is grounded in various key principles, which stress that risk management should be “integrated, executed via a structured and comprehensive approach, customized, inclusive, dynamic, based on the best information available regarding both human and cultural factors and continuously improved.”

Consider the following questions to assess whether these principles are in place at your organization:

  • Is there a systematic process in place for tracking, evaluating and managing cyber risks? Is it integrated into your ERM process? Is there a mechanism in place to provide feedback on this process?

  • Has the process to manage cyber risk been adapted for your organization’s needs and culture? Is it structured and inclusive — bringing all the relevant stakeholders to the table? Is there a sense of ownership from those affected by cyber risks? For example, are line-of-business directors getting cyber risk updates in ways that are relevant to them? Can they see how their decisions impact their cyber risk profiles?

  • Is the process designed to be as dynamic as it needs to be, as cyber threats continually evolve, and is it based on information that’s timely, useful and relevant to decision-makers and risk-owners?

  • Have sufficient resources been provisioned to ensure a successful and sustainable management program? These resources include staff, budgets, support from leadership, information systems and relevant data, as well as data collected as part of the process itself.

How Does Your Organization Assess Cyber Risks?

The risk-assessment process includes identifying, analyzing and evaluating risks before acting on them. However, ISO 31000:2018 also stressed the importance of ensuring the process has the appropriate scope and context, and that risk criteria is determined ahead of engaging in the risk-assessment phase.

Consider the following questions to evaluate the current cyber risk assessment process at your organization:

  • Is the scope of the cyber risk assessment aligned with your organization’s strategy and objectives? Have stakeholders been briefed on the scope, purpose and expected outcomes of the process?

  • Has the amount and type of cyber risk your organization is comfortable with been defined? Does this reflect your organization’s values and objectives? Is it consistent with the resources your organization has put forward in this effort? Does the process take into account your organization’s capacity for detecting and reacting to those risks? Is this capacity based on realistic reaction times — as opposed to wishful thinking?

  • Are cyber risks looked at in isolation — or does the assessment process consider the effect of timing (e.g., before mergers and acquisitions [M&A] activity or before important earnings call announcements)? Does the assessment process consider the cascading impact that risks can engender?

  • Is the risk-assessment process systematic, inquisitive, iterative and collaborative? Does it use the best available information about the nature of the threats and attackers? Does it make realistic assumptions about your organization’s defenses? Are these assumptions tested via penetration-testing or red-team exercises?

Is Your Organization Effectively Communicating Cyber Risks?

Even the best plans can lead to failure if they are not properly communicated. Over the past decade, one point has emerged from board directors about cyber risks: Management has done a poor job of communicating cyber risks to the board, as well as to its own managers and risk-owners. ISO 31000:2018 stressed the need for a well-rounded approach to communicating and consulting about cyber risks with all relevant stakeholders.

Though information is communicated from the top down, consultation is equally important and ensures the organization receives feedback to shape future risk decisions and improve the risk-management process.

Consider the following questions to evaluate the cyber risk-communication process at your organization:

  • Does the information provided as part of the cyber risk-management process help decision-makers improve the quality of their cyber risk decisions? Is the information provided timely, relevant, understandable and actionable? Is the information tied to its impact on business objectives?

  • Does the consultation process support collecting information from relevant stakeholders in a systematic, organized and consistent manner? Will the collected feedback be synthesized and shared with relevant parties? Does the consultation process support the consideration of different points of view? Does it bring together people of various expertise (e.g., cyber, legal, operations) with the risk-owners?

  • Does the organization have a well-practiced data breach response plan? Have executives and the board been involved in the preparation and rehearsal of this plan?

How Engaged Is Your Organization on Risk Treatment, Monitoring and Review?

The proper assessment of cyber risks, supported by appropriate communication and consultation, is obviously essential. But where the rubber meets the road is in what the organization decides to do regarding a particular risk — and how well it follows up with a monitoring and review process.

Consider the following questions to evaluate the risk treatment, monitoring and review process at your organization:

  • How does your organization generate a list of possible risk-treatment options? Are the choices reviewed for organizational capability and to ensure effective and efficient use of resources?

  • Are stakeholders consulted during the selection of risk-treatment options to ensure the options meet their needs and capabilities?

  • Does the risk-treatment process consider new risks that might arise with a specific course of action? What if the chosen risk treatment underperforms or generates unintended consequences?

  • Has your organization captured the rationale for the final decision? Who will be held accountable for implementing the chosen option? Who will need to be involved in clearing the path to success? What’s the timeline for implementation — or for completion?

  • Whose responsibility is it to monitor this risk-treatment implementation and its effectiveness? How will information about this project be looped back into the risk-management process to ensure lessons are learned?

How Will Your Organization Evaluate and Improve the Risk-Management Process?

ISO 31000:2018 makes it clear that to achieve an effective risk-management process, organizations must evaluate whether the process itself meets the needs of the organization. In other words: Is the process having the intended effect of helping the organization improve its decision-making about which risks to take, which risks to avoid and what to do about the uncomfortable levels of risk that remain?

The implementation should help the organization create or protect value. This implies that the organization should have documented the purpose of the process, expectations about its impact and indicators to evaluate the success of the process.

Consider the following questions to evaluate how well your organization is improving the risk-management process:

  • Is the cyber risk-management process applied at multiple levels throughout your organization (including strategic, operational, executive and project levels)?

  • Are cyber risks regularly reviewed, debated and questioned by top leadership and the board? Do the board and top management have access to qualified external experts to help them navigate the cyber risk landscape and understand the effectiveness of a chosen course of action?

  • How does your organization evaluate the effectiveness of the controls deployed to mitigate risks? How frequently is this done? How are the lessons learned integrated into the next iteration of the process?

  • Are there any gaps in the process that need to be addressed? Are there opportunities for improvement that should be implemented?

Risk management is not a once-and-done project. It’s a process which must be adapted to the culture and needs of the organization, supported with adequate resources — and closely monitored to ensure its effectiveness.

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...