The two approaches for information security risk identification proposed by ISO/IEC 27005:2022

ISO/IEC 27005 is an international standard with guidelines for information security risk management. This standard offers guidance on identifying, assessing, and treating security risks within an organization.
One key step of risk management is the identification of risks, which can be performed using different approaches.
The standard proposes two risk identification approaches: the asset-based approach and the event-based approach.
There are differences between the two approaches proposed by the standard, but if used correctly, they should lead to similar results.
1. The asset-based approach
The asset-based approach focuses on identifying information security risks by analyzing the assets that need protection. This method involves the following steps:
- Identify information assets: recognizing and cataloging assets such as hardware, software, data, and personnel.
- Determine asset importance: primary assets (key to the organization) and supporting assets.
- Identify threats and vulnerabilities: determining potential threats that could exploit vulnerabilities in assets and understanding weaknesses.
- Evaluate potential consequences: estimating the impact of asset compromise on the organization.
Example of the application of the asset-based approach for risk identification
Scenario - Protecting customer database
- Asset: customer database containing sensitive personal and financial data.
- Threats: cyber-attacks, unauthorized access, malware infections.
- Vulnerabilities: weak password policies, unpatched software, lack of encryption.
- Potential Impact: data breach leading to financial loss, regulatory fines (GDPR), and reputational damage.
In this approach, risk treatment could involve strengthening authentication mechanisms, applying patches and implementing encryption to reduce vulnerabilities.
2. The event-based approach
The event-based approach, according to ISO/IEC 27005, looks to identify risks by considering various realistic attacks or failure scenarios. This method involves:
- Considering possible events (scenarios): understanding possible situations that could lead to security incidents.
- Analyzing attack vectors: understanding how attackers or failures could exploit weaknesses, including attackers’ possible motivations.
- Assessing impact: evaluating the consequences of each possible event if it were to materialize.
- Considering likelihood: estimating the probability of a scenario becoming reality, based on threat intelligence and past incidents.
Application of the event-based approach to real world scenario
Scenario - Ransomware attack on corporate network
- Scenario: an employee unknowingly clicks on a malicious email attachment, triggering ransomware that encrypts critical files.
- Attack vector: phishing email with a malicious attachment.
- Impacted assets: corporate file servers, employee workstations, business-critical data.
- Potential consequences: operational downtime, loss of business data, ransom demand, regulatory penalties.
- Risk mitigation strategies:
- Employee awareness.
- Implementing email filtering and sandboxing.
- Maintaining regular and secure backups.
- Deploying endpoint detection and response (EDR) solutions.
Choosing the right approach
While both approaches are effective, they serve different purposes:
- The asset-based approach is best suited for structured environments where assets and their values are well-defined, such as financial institutions or government agencies.
- The event-based approach is more flexible and useful in dynamic environments, such as technology startups or cloud-based businesses.
Conclusion
ISO/IEC 27005 is a guidance standard and its recommendations for risk identification are not mandatory. An organization implementing an information security management system (ISMS) may use a different approach to identify information security risks. However, the solutions recommended by ISO/IEC 27005 represent a good solution for any organization, regardless of activity sector and approach to protecting information assets.
If you are interested in understanding the guidelines for information security risk management proposed by ISO/IEC 27005:2022 you can take our online course available here.
For individuals looking to confirm their competence as ISMS auditors or practioners, our online certification services can be an effective solution.