M2 Information Security Risk Management

An information security risk management process shall be implemented to conduct risk assessments, statements of applicability, security testing and evaluations of information security controls on applicable services.

OBJECTIVE

To establish a formal information risk management framework for managing entity’s information security risks by establishing the context, preforming risk assessment, implementing risk treatments, and monitoring their implementation.

PERFORMANCE INDICATOR

Trend in the number of occurrences where the risk assessment has not been performed, reviewed or updated as planned.

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. Unsuitable risk management policy
2. Inconsistent or incomparable results
3. Inconsistent or unsuitable risk criteria

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY

OBJECTIVE

To identify, analyze and evaluate the information security risks the entity is facing.

PERFORMANCE INDICATOR

Percentage of new risks that are identified when the risk assessment is reviewed or updated in relation to all those risks that should have been identified before and have been overlooked or that have been assessed incorrectly.

AUTOMATION GUIDANCE

Automated physical access management applications are available for entities of all sizes and complexity and are deployed along physical access control equipment (such as automated gates and doors). Selection of the appropriate access management application requires an entity to have an

understanding of its physical landscape and locations, the risks it faces, and the protection level required.

RELEVANT THREATS AND VULNERABILITIES

1. Under protected secure areas
2. Unauthorized access to secure areas
3. Destruction of equipment of media
4. Interference with security controls

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• M2.2.1 - P1 - INFORMATION SECURITY RISK IDENTIFICATION
• M2.2.2. - P1 - INFORMATION SECURITY RISK ANALYSIS
• M2.2.3 - P1 - INFORMATION SECURITY RISK EVALUATION ANALYSIS

OBJECTIVE

To identify and plan appropriate risk treatment for the risks that have been assessed.

PERFORMANCE INDICATOR

Percentage of all records (audit reports, incident reports, logs, events, etc.) that indicate that any of the controls that have been identified as “not applicable” are actually needed.

AUTOMATION GUIDANCE

Solutions as physical access control, video surveillance and anti-intrusion systems should be considered.

RELEVANT THREATS AND VULNERABILITIES

1. Equipment failure
2. Tampering with equipment
3. Physical theft of asset

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• M2.3.1 - P1 - INFORMATION SECURITY RISK TREATMENT OPTIONS
• M2.3.2 - P1- IDENTIFICATION OF CONTROLS
• M2.3.4 - P1- STATEMENT OF APPLICABILITY
• M2.3.5 - P2 - INFORMATION SECURITY OBJECTIVITIES

OBJECTIVE

To ensure that risk management process is communicated, consulted and monitored.

PERFORMANCE INDICATOR

Percentage of all cases during the last year where the information security risk assessment and/or risk treatment has not been updated despite of being scheduled and significant changes are occurring.

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. No review or update of the information security risk assessment and treatment
2. Unidentified new information security risks
3. Unnecessary controls

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• M2.4.1 - P1 - RISK MONITORING AND REVIEW
• M2.4.2 - P1 - RISK COMMUNICATION AND CONSULTATION