Scribd
Upload
22 views

ISO27k - RA - Spreadsheet - Version - 2

Uploaded by

monicabo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLS, PDF, TXT or read online on Scribd
22 views

ISO27k - RA - Spreadsheet - Version - 2

Uploaded by

monicabo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLS, PDF, TXT or read online on Scribd
You are on page 1/ 98

Information Security Risk Analysis Spreadsheet

Version 2 - 12 Oct 2007

Introduction
The first version of this spreadsheet was kindly contributed to the ISO27k implementers' forum at www.ISO27001security.co
a separate Word document explaining the scores and formulae. Hamid's spreadsheet and document were crunched into th
Gary Hinson, with minor changes to the wording and formatting, plus an introduction section. Gary also corrected Ham
double-counting the 'probabilty' factor.

Further improvement suggestions are very welcome from those actively implementing the ISO/IEC 27000 standards : please j
forum and post your comments or updates to the group. Further ISMS documents, worksheets, policies, procedures etc. are

Purpose
This spreadsheet is intended to support an organization's analysis of information security risks as part of the
Information Security Management System (ISMS). The spreadsheet is meant to help those implementing or
ISO/IEC information security management standards. Like the ISO/IEC standards, it is generic and needs to
requirements. The details do vary between organizations.

Copyright
This work is copyright © 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Cre
Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative work
it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO
(www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.

Disclaimer
Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influe
users' assessment of risk factors, on the definition of information assets and on the framing of risks being consider
process is best conducted by a team of people with solid expertise and practical experience of (a) assessing
security risks, and (b) the organization, its internal and external situation with respect to information security. D
answers from anyone. It is impossible to guarantee that all risks have been considered and analyzed correctly
practitioners in this field claim that all risk analysis is basically bunkum, and we have some sympathy with that viewp

The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, HR, oth
information security consultants) and may be adjusted according to their experience, so long as the expert views are taken in
just because the organization has little if any experience of a particular informaiton security risk does not necessarily mea
Organizations with immature security management processes and systems may have significant ongoing security incidents
due to inadequate incident detection and reporting processes.
Instructions
Start by breaking the organization's information assets (being the information/data content plus the
store and communicate it) into sensible categories. Too much detail is just as bad as too little.

Next, consider the possible information security risks (threats, vulnerabilities, impacts) to each of tho
the scores in the worksheet. The guidance below is also available as comments on the workshee
triangles to see the comments). Decide on the probabilities and chances of non-detection base
experience.

Now, in conjunction with management, review the full list of risks and RPNs to check that they "mak
the reasons for any unexpectedly high or low scores - they may reflect simple errors in the scoring pro
to rank (sort) the risks according to their scores to check for items that appear out of sequence in the l

Finally, use the information here, in conjunction with ISO/IEC 27002 and/or other sources of informa
to identify controls to address the identified risks. The ranked risk or RPN scores provide a natural prio
the controls. Keep the worksheet somewhere safe and review/update it periodically as part of the ro
information security.

Note: the items shown on the RA worksheet in the template are merely examples to show the style.
update them!

Probability
For the purposes of this Security Risk Assessment the following scale shall be
used to quantify probability of occurrence of a risk.

Probability Explanation Score


Negligible Unlikely to occur 0

Very Low 2 – 3 times every 5 years 1

Low Up to once per year 2

Medium Up to twice a year 3

High Up to once per month 4

Very High More than once per month 5

Extreme Several times a week or day 6

Impact (Harm)
Impact (harm) shall be quantised as a numerical quantity to reflect damage if a
given threat successfully exploits a given vulnerability. Harm is not related to
probability. This value allows us to rate on a relative scale the seriousness of a
given risk independent of its probability. For this Security Risk Assessment the
following scale shall be used to estimate impact:

Impact level Explanation Score


Insignificant No impact 0

Minor No extra effort required to repair 1


Tangible harm, extra effort required to
Significant 2
repair
Significant expenditure of resources
required
Damaging 3
Damage to reputation and confidence
Extended outage and / or loss of
connectivity
Serious
Compromise of large amounts of data or
4
services
Permanent shutdown
Grave
Complete compromise 5

Risk
The evaluation and mitigation of risk is the goal of the Information Security
Management System. Mathematically risk can be expressed as: Risk =
Probability x Impact giving the following range of risk values:

Risk level Explanation


0 Nil

1 to 3 Low

4 to 7 Medium

7 to 14 High

15 to 19 Critical

20 to 30 Extreme

Risk Detection
The sooner we find out when and how a risk has occurred, the sooner we can
respond to it and thus limit further losses. Risks (such as many frauds) that
remain hidden for a long time may accumulate large losses even if individual
incidents are relatively small scale.

Chance
of non-
Detection Likelihood of Detection detection
score

Extremely High Very obvious or easy to detect 1

High Relatively easy to detect, quite noticeable 2

Medium Can detect , but efforts are needed 3


Difficult to detect, quite likely to remain
Low 4
hidden
Extremely Low Very Difficult to detect (Almost impossible) 5

Risk Detection Ranking


In order to prioritze and rank risks, we calculate the RPN (Risk Probability
Number) as follows: RPN = Risk x Chance of non-detection.
formation/data content plus the systems that process,
is just as bad as too little.

erabilities, impacts) to each of those assets, completing


e as comments on the worksheet (hover over the red
d chances of non-detection based on your collective

nd RPNs to check that they "make sense". Investigate


ect simple errors in the scoring process. It usually helps
at appear out of sequence in the list.

and/or other sources of informaton security guidance


RPN scores provide a natural priority for implementing
ate it periodically as part of the routine management of

erely examples to show the style. Delete or check and


Primary
securit
Information y Probabilit
asset Threat Vulnerability concer y

Personnel Management
Flu transmission between
Employees/Users Influenza outbreak A 5
or involving employees

Employees needed to
Strike, industry skills
Employees/Users perform essential A 4
shortage
business processes

Disclosure of Unethical, greedy,


Employees/Users proprietary information susceptible/naïve or C 2
to competitor careless employees
Chance of
non-
Impact Risk detection RPN Control References

Cross training will insure availability


2 10 1 10
of skill set between several workers

Proactive hiring practices,


2 8 1 8 competitive salaries etc. will increase
availability of employees

Code of Conduct, confidentiality


clauses in employment contracts,
2 4 3 12
limited access to proprietary
information
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0

You might also like