By Jim Hietala, The Open Group
The Open Group Security Forum recently completed the last phase of our major risk management initiative with the publication of the Cookbook for ISO/IEC 27005:2005. The Cookbook is the culmination of the work the members of the Security Forum have undertaken over the past two and a half years — a comprehensive initiative aimed at eliminating widespread industry confusion about risk management among risk managers, security and IT professionals, as well as business managers.
The new Cookbook for ISO/IEC 27005:2005 is meant to be a “recipe” of sorts, providing a detailed description of how to apply The Open Group’s FAIR (Factor Analysis for Information Risk) Risk Taxonomy Standard to any other risk management framework to help improve the consistency and accuracy of the resulting framework. By following the “cookbook” example in the guide, risk technology practitioners can apply the example with significantly beneficial outcomes when using other frameworks of their choice.
We created the guide for anyone tasked with selecting, performing, evaluating, or developing a risk assessment methodology, including all stakeholders responsible for areas with anything risk related, such as business managers, information security/risk management professionals, auditors, and regulators (both policy-makers and as law-makers).
The initiative started in the summer of 2008 with Phase 1, the Risk Taxonomy Standard, which is based on the FAIR methodology and specifies a standard definition and taxonomy for information security risk, and how to apply this to perform risk assessments. A year later, we completed the second phase and published a technical guide entitled Requirements for Risk Assessment Methodologies, that describes key risk assessment traits, provides advice on quantitative versus qualitative measurements and addresses the need for senior management involvement. The Cookbook completes our project.
As we wrap up our work on this initiative and look at the current state of security, with escalating cyber threats, growing risks around mobile computing, and evolving government regulations, I can say with confidence that we have met our goals in creating comprehensive and needed guidance and standards in the area of risk analysis.
Looking ahead at the rest of 2011, The Open Group Security Forum has an active pipeline of projects to address the increasing risk and compliance concerns facing IT departments across organizations today. Be on the lookout for the publication of the ISM3 standard, revised Enterprise Security Architecture Guide, and ACEML standard in the late spring/early summer months!
An IT security industry veteran, Jim Hietala is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.