It is very helpful in any context, but especially in information risk management, that we have a common understanding of the terminology used. For example, people often refer to risk when they actually mean threat without perhaps realising that there is a distinct difference.

In this section, we provide definitions of all the key terms used in information risk management, most of which originate in ISO Guide 73:2009 – Risk Management – Vocabulary.

We shall then move on to cover the main national and international standards and good practice guidelines used in the management of information risk, and also identify where the reader can obtain them.

Risk management can be significantly more effective with clear and concise definitions:

You can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined.

The Open Group Standard, 2013

Let us begin though, by taking a very high-level view of the information risk management concepts and the relationships between them.

The diagram in Figure I.1 illustrates the interrelationships between seven key areas of information risk management. We will expand on the individual concepts in due course, but for now it is worthwhile keeping this picture in mind as we work through the remaining chapters of this book.

DEFINITIONS AND GLOSSARY OF TERMS

Access control: ‘the means to ensure that access to assets is authorised and restricted on business and security requirements’ (ISO/IEC 27000:2018).

Asset: ‘any item that has value to the organisation’ (ISO/IEC 27000:2012 – oddly omitted from the more recent versions). Assets can be tangible, such as buildings, systems, people or information, or intangible, such as brand or reputation. IP is also an asset and results from the expression of an idea. IP might be a patent, trademark, copyright, design right, registered design, technical or commercial information. Bizarrely, although IP can be owned, bought and sold, information per se is not considered ‘property’ in the strictest sense of UK law!

Attack: ‘attempt to destroy, expose, alter, disable, steal or gain unauthorised access or to make unauthorised use of an asset’ (ISO/IEC 27000:2018). An attack can be a simple event, such as an attempt to break into a computer system, or a more complex event such as a DDoS attack in which multiple systems mount an attack on an information asset. Attacks differ slightly from threats and hazards in that attacks are something that actually happen, whereas threats and hazards only have the potential to cause harm. An attacker is therefore someone who deliberately sets out to cause harm. See also Exploit.

Attribute: ‘the property or characteristic of an object that can be distinguished quantitatively or qualitatively by human or automated means’ (ISO/IEC 27000:2018).

Audit: ‘the systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled’ (ISO/IEC 27000:2018).

Authentication: ‘the provision of assurance that a claimed characteristic of an entity is correct’ (ISO/IEC 27000:2018).

Availability: ‘property of being accessible and usable upon demand by an authorised entity’ (ISO/IEC 27000:2018).

Business continuity (BC): ‘the capability of the organisation to continue delivery of products and services at acceptable predefined levels following a disruptive incident’ (ISO 22300:2018).

Business impact analysis (BIA): ‘the process of analysing activities and the effect that a business disruption can have upon them’ (ISO 22300:2018).

Communication and consultation: ‘the continual and iterative processes that an organisation conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk’ (ISO Guide 73:2009). Such dialogue will be with internal stakeholders, such as senior managers and staff involved in managing information, and also external stakeholders such as outsourcing organisations.

Communication and consultation must happen continuously throughout the life cycle (and beyond) of an information risk management project or programme of work, and must never be viewed as a one-off exercise and it should be remembered that communication and consultation is a two-way process.

Confidentiality: ‘the property that information is not made available or disclosed to unauthorised individuals, entities or processes’ (ISO/IEC 27000:2018).

Consequence or impact: ‘an outcome of an event affecting objectives’ (ISO Guide 73:2009). The two terms are both widely used and are completely interchangeable. Consequences and impacts may be direct, for example the loss of a building due to a fire, or indirect, such as the fine imposed for a breach of the Data Protection Act.

Also, there are primary impacts, such as the loss of revenue when a system fails, and secondary impacts, such as the overtime payments to staff for working extra hours to repair or replace such a system.

As shown in this book, consequences and impact may be described in a qualitative or a quantitative manner. Qualitative descriptions are generally in the form of ‘trivial’, ‘minor’, ‘major’, ‘severe’ or ‘critical’, but unless they are based on some form of numerical value, do not really provide an insightful assessment of the grim reality.

Quantitative descriptions are much easier to understand and provide a firm basis for comparison and assessment, but are generally much harder to predict with any accuracy unless very detailed analysis is carried out, which can be time consuming.

In practice, the best balance can usually be obtained by providing a quantitative rating for a qualitative term; for example, between £1 million and £10 million represents ‘severe’, which allows a greater degree of subjectivity while anchoring the assessment in numeric terms. This is sometimes referred to as a semi-quantitative measure.

Context establishment: ‘defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy’ (ISO Guide 73:2009). This will be discussed in greater detail in Chapter 3.

Control: ‘a measure that is modifying risk’ (ISO Guide 73:2009). Controls can be strategic, tactical or operational. Strategic controls are very high level, such as risk avoidance, transfer, reduction and acceptance; tactical controls determine a general course of action, such as detective, preventative, corrective and directive; and operational controls determine the actual treatment, such as technical or logical, procedural or people, and physical or environmental. However, controls may also be used to monitor processes, ensuring predictability without actually modifying them.

Control objective: ‘a statement describing what is to be achieved as a result of implementing controls’ (ISO/IEC 27000:2018).

Cybersecurity: Refers specifically to information security as applied to computers, tablet computers, smartphones, computer networks (both public and private) and the wider internet. In this respect it is slightly different from the wider area of information security, which includes non-electronic information as well. Cybersecurity is sometimes also referred to as computer security or IT security.

Data: A collection of values assigned to base measures, derived measures and/or indicators.

Disaster recovery (DR): A coordinated activity to enable the recovery of ICT systems and networks due to a disruption.

Disruption: This term is generally applied to events or incidents that interfere with normal business operations and have a detrimental impact on information or information processing.

Effectiveness: ‘the extent to which planned activities are realised and planned results achieved’ (ISO/IEC 27000:2018).

Estimation: It is almost impossible to predict either the impact or the likelihood of a threat arising with any degree of accuracy or certainty, so almost all risk assessments are carried out on the basis of estimation. Estimates can be refined and improved over time, and with the hindsight of real events they may even become quite accurate, but initially they will always be little more than an educated guess.

Event: ‘the occurrence or change of a particular set of circumstances’ (ISO Guide 73:2009). Sometimes these are referred to as incidents and, while there are similarities, there needs to be a differentiation between the various types of change of circumstances.

In terms of information risk, ‘events’ can vary considerably in scale and severity from so-called ‘glitches’, lasting perhaps a fraction of a second, through to major incidents that can affect the organisation for weeks or months. In order to place events in a clearer descriptive context, examples are provided in Chapter 4.

Exploit: An exploit is a particular form of attack, in which a tried and tested method of causing impact is followed with some rigour. Exploits are similar in nature to processes, but whereas processes are generally benign, exploits are almost always harmful.

Exposure: ‘the extent to which an organisation and/or stakeholder is subject to an event’ (ISO Guide 73:2009).

External context: ‘the external environment in which the organisation seeks to achieve its objectives’ (ISO Guide 73:2009). Again, as the name suggests, the external context takes in factors outside the bounds of the organisation. This will be discussed in greater detail in Chapter 3.

Frequency: ‘the number of events or outcomes per defined unit of time. Frequency can be applied to past events or to potential future events, where it can be used as a measure of likelihood or probability’ (ISO Guide 73:2009). Most real-world events are not precisely regular in occurrence, the tides and phases of the moon being obvious exceptions, and so any statements of frequency are only really estimates and cannot be relied upon for accuracy.

Hazard: ‘a source of potential harm’ (ISO Guide 73:2009). Hazards are generally seen as natural (as opposed to man-made) events, such as flooding, hurricanes or ice storms. See also Threats.

Horizon scanning: A procedure that involves the systematic observation and monitoring of various key drivers of change at the margins of current thinking and planning.

Impact: ‘an outcome of an event affecting objectives’ (ISO Guide 73:2009).

Information: An organised and formatted collection of data.

Information assurance: The process of ensuring that data are not lost when critical events or incidents occur. It is generally associated with computer, cyber or IT security rather than the somewhat wider meaning of ‘information security’.

Information security: The practice of protecting information from unauthorised access, use, disclosure, disruption, modification or destruction. Information security encompasses both physical and electronic information.

Information security event: ‘an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant’ (ISO/IEC 27000:2018).

Information security incident: ‘indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security’ (ISO/IEC 27000:2018).

Inherent risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls).

Integrity: ‘property of protecting the accuracy and completeness of assets’ (ISO/IEC 27000:2018).

Internal context: ‘the internal environment in which the organisation seeks to achieve its objectives’ (ISO Guide 73:2009). As the name suggests, the internal context is that which exists within the organisation itself. This will be discussed in greater detail in Chapter 3.

Level of risk: ‘the magnitude of a risk expressed in terms of the combination of consequences and their likelihood’ (ISO/IEC 27000:2018).

Likelihood: ‘the chance of something happening’ (ISO Guide 73:2009). The terms likelihood and probability are often used interchangeably, but likelihood is a rather general or qualitative term denoting a degree of uncertainty, whereas the quantitative term ‘probability’ has a more statistical underpinning. The term ‘possibility’ is generally not used, since many things are possible, and the term gives no indication whether or not the event is actually likely to take place.

Monitoring: ‘determining the status of a system, a process or an activity’ (ISO 22300:2018).

Non-repudiation: ‘the ability to prove the occurrence of a claimed event or action and its originating entities, in order to resolve disputes about the occurrence or non-occurrence of the event or action and involvement of entities in the event’ (ISO/IEC 27000:2018).

Objective: ‘a result to be achieved’ (ISO/IEC 27000:2018).

Organisation: ‘a person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives’ (ISO/IEC 27000:2018).

Outsource: ‘make an arrangement where an external organisation performs part of an organisation’s function or process’ (ISO/IEC 27000:2018).

Policy: ‘the intentions of an organisation as formally expressed by its top management’ (ISO/IEC 27000:2018).

Probability: ‘the measure of the chance of occurrence expressed as a number between zero and one, where zero is impossibility and one is absolute certainty’ (ISO Guide 73:2009). Probability is often expressed as a percentage, and being a quantitative term, is able to express the chance of something happening with a greater degree of accuracy. See also Likelihood.

Processes and procedures: Many organisations do not think of processes as being information assets, but as they are documented in some way and often refer to the use or production of information, they can be considered as intangible assets. Processes detail how to go about achieving a goal or objective. Procedures, which are a subset of processes, explain how to conduct the individual steps within processes, and therefore take on the same status as intangible assets.

Qualitative risk assessments: These are subjective in nature, and are generally expressed in verbal terms such as ‘high’, ‘medium’ and ‘low’. While in common use, this is not always an ideal state of affairs, as it may render risk assessments unreliable. This is discussed in greater detail in Chapter 4.

Quantitative risk assessment: These are objective in nature and are generally expressed in numerical terms, such as financial values, percentages and so on. While these provide a more accurate measurement of risk, they are usually more time consuming to undertake. They are discussed in greater detail in Chapter 4.

Requirement: ‘the need or expectation that is stated, generally implied or obligatory’ (ISO/IEC 27000:2018).

Residual risk: ‘the risk remaining after risk treatment’ (ISO Guide 73:2009). Once all other risk treatment options have been explored, it is often the case that some (usually small) risk remains. It is normal to accept or tolerate this, since further treatment might either have no effect, or might be prohibitively expensive. Because residual risks are often very small, they are occasionally (incorrectly) overlooked.

Resilience: ‘the adaptive capacity of an organisation in a complex and changing environment’ (ISO Guide 73:2009). Although this definition refers to organisations rather than to information assets, the definition holds true, in that where an information asset is properly protected, it is able to resist certain threats. However, to make an information asset fully resilient may be a very complex task and require several different methods of protection.

Review: ‘an activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives’ (ISO/IEC 27000:2018).

Risk: ‘the effect of uncertainty on objectives’ (ISO Guide 73:2009). Risk is the product of consequence or impact and likelihood or probability, and is not the same as a threat or hazard. In the context of information risk management, risk is usually taken to have negative connotations. In the wider context of risk however, it may also be seen in a positive light and may be referred to as ‘opportunity’.

Risk acceptance or risk tolerance: ‘the informed decision to take a particular risk’ (ISO Guide 73:2009). Risk acceptance or tolerance is the final choice in risk treatment once all other possible avenues have been explored. This is not the same as ignoring risks – something that should never be done!

Risk aggregation: ‘the combination of a number of risks into one risk to develop a more complete understanding of the overall risk’ (ISO Guide 73:2009). Where a number of risks exist in a certain area, it may be possible to treat them all with one or more controls rather than treating them individually. Therefore, for the purposes of risk management, they can be grouped together or aggregated in order to save time and effort.

Risk analysis: ‘the process to comprehend the nature of risk and to determine the level of risk’ (ISO Guide 73:2009). This is the part where we combine the impact and the likelihood (or probability) to calculate the level of risk and to plot it onto a risk matrix, which allows us to compare risks for their severity and to decide which are in greatest need of treatment.

Risk appetite: ‘the amount and type of risk that an organisation is willing to pursue or retain’ (ISO Guide 73:2009). Organisations will have differing levels of risk appetite for different types of information; and different types of organisation will have vastly differing levels of risk appetite, depending on their sector.

Risk assessment: ‘the overall process of risk identification, risk analysis and risk evaluation’ (ISO Guide 73:2009). It includes identification of the information assets and their owners; impact assessment; threat and vulnerability identification; likelihood assessment; risk analysis; production of the risk matrix; and finally risk evaluation.

Risk avoidance or risk termination: ‘an informed decision not to be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk’ (ISO Guide 73:2009). This is one of the four strategic options for risk treatment. Avoiding the risk should normally remove the risk completely, but may leave the organisation with other challenges.

Risk criteria: ‘the terms of reference against which the significance of a risk is evaluated’ (ISO Guide 73:2009). Risk criteria will include such things as impact, likelihood, proximity and risk appetite.

Risk evaluation: ‘the process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable’ (ISO Guide 73:2009). This is the final stage in the risk assessment process, in which all risks plotted onto the risk matrix are evaluated against a set of criteria in order to decide which should receive the highest priority for treatment.

Risk identification: ‘the process of finding, recognising and describing risks’ (ISO Guide 73:2009). Risk identification includes the identification risk sources, events, their causes and the possible consequences to the information assets.

Risk management: ‘coordinated activities to direct and control an organisation with regard to risk’ (ISO Guide 73). Risk management is the identification, assessment and prioritisation of risks followed by coordinated and economical application of resources to minimise, monitor and control the probability and/or impact of unfortunate events or to maximise the realisation of opportunities.

Risk matrix: A graphical representation of impact versus likelihood used to assist in the prioritisation of risks.

Risk modification or risk reduction: The process of treating risk by the use of controls to reduce either the consequence/impact or the likelihood/probability. Sometimes the term ‘risk treatment’ is used in this context, but risk treatment is really a generic term for all four kinds of strategic control. Strangely, ISO Guide 73 does not attempt to define risk modification or reduction, although it does refer to it under the definition of ‘control’.

Risk monitoring: ‘the continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected’ (ISO Guide 73:2009). This is an ongoing process to ensure that risks that change over time – whether for the better or the worse – are reviewed and that appropriate action is taken.

Risk owner: ‘a person or entity with the accountability and authority to manage a risk’ (ISO Guide 73:2009).

Risk proximity: How far away in time will the risk occur (if it materialises). It can also mean when the risk will occur. While there does not appear to be a standards definition for risk proximity, it remains a vital element of the risk assessment process, since those risks that could manifest themselves sooner will probably require attention before those that are further away in time. Risk proximity is one of the criteria against which risks are evaluated.

Risk reduction: The process of treating risk by the use of controls to reduce either the consequence/impact or the likelihood/probability.

Risk register: ‘a record of information about identified risks’ (ISO Guide 73:2009). Simple risk registers are often maintained as a spreadsheet, while more complex registers may use a proprietary software package, capable not only of recording the information but also of carrying out some analysis or evaluation.

Risk reporting: ‘a form of communication intended to inform particular internal or external stakeholders by providing information regarding the current state of risk and its management’ (ISO Guide 73:2009).

Risk review: ‘the activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives’ (ISO Guide 73:2009). Risk reviews capture not only risks and their treatments, but also the whole process by which risk management is undertaken, the status of information assets and the organisation’s risk appetite.

Risk termination: ‘an informed decision not to be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk’ (ISO Guide 73:2009).

Risk tolerance: ‘an organisation or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives’ (ISO Guide 73:2009). Risk tolerance is sometimes also viewed as being the same as risk acceptance. The difference is that risk acceptance takes place when no other form of risk treatment is suitable, whereas risk tolerance takes place after other forms of risk treatment have taken place, and there is some residual risk.

Risk transference or risk sharing: ‘a form of risk treatment involving the agreed distribution of risk with other parties’ (ISO Guide 73:2009). One of the risk treatment options is to transfer the risk to or to share it with a third party. Transferring or sharing the risk, however, does not change ownership of the risk, which remains with the organisation itself regardless of who else shares the risk.

Risk treatment: ‘the process to modify risk’ (ISO Guide 73:2009). While this may be technically correct, treatment may alternatively involve risk transference or sharing; risk avoidance or termination, or risk modification or reduction, which are all methods of treating risk.

Scale: ‘an ordered set of values, continuous or discrete, or a set of categories to which the attribute is mapped’ (ISO/IEC 27000:2014).

Stakeholder: ‘a person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity’ (ISO Guide 73:2009). Stakeholders may be people within or outside the organisation, including customers, suppliers or governments.

Threat: ‘potential cause of an unwanted incident, which can result in harm to a system or organisation’ (ISO/IEC 27000:2018). ISO Guide 73:2009 defines ‘hazards’, but does not refer to threats. While hazards are generally viewed as natural events, threats are usually man-made, whether accidental or deliberate.

Threat sources and threat actors: A threat source is a person or organisation that wishes to benefit from attacking an information asset. A threat actor is a person or organisation that actually mounts the attack. Threat sources often coerce threat actors to attack information assets on their behalf.

Uncertainty: This is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence or likelihood. While not an actual term defined in ISO Guide 73:2009, uncertainty is explained in a note below the definition of risk. Uncertainty goes hand in hand with estimation, meaning that many of our assessments will be subject to a greater or lesser degree of uncertainty. In some cases, uncertainty increases as a possible event’s proximity decreases.

Validation: ‘confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled’ (ISO/IEC 27000:2014).

Vulnerability: ‘the intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with a consequence’ (ISO Guide 73:2009). Vulnerabilities or weaknesses in or surrounding an asset leave it open to attack from a threat or hazard. Vulnerabilities come in two flavours: intrinsic vulnerabilities, which are something inherent in the very nature of an information asset, such as the ease of erasing information from magnetic media (whether accidental or deliberate); and extrinsic vulnerabilities, which those that are poorly applied, such as software that is out of date due to a lack of patching.

INFORMATION RISK MANAGEMENT STANDARDS

There are a number of useful standards and guidelines available to risk management practitioners. Unfortunately, the BSI and ISO standards can only be purchased, although members of BSI enjoy a discount on many standards. The National Institute for Standards and Technology (NIST) and Committee on National Security Systems (CNSS) standards are free to download.

The lists below include only the most relevant standards. For a fuller list of all related standards, please see Appendix H.

British Standards Institution (BSI)

https://bsol.bsigroup.com

BS 7799-3:2017 – Information security management systems – Guidelines for information security risk management

BS 31100:2011 – Risk management – Code of practice and guidance for the implementation of BS ISO 31000:2018

International Organization of Standardization (ISO)

www.iso.org/iso/home/standards.htm

ISO Guide 73:2009 – Risk management – Vocabulary

ISO/IEC TR 13335-3:1998 – Information technology – Guidelines for the management of IT security – Part 3: Techniques for the management of IT security

ISO/IEC 27000:2020 – Information technology – Security techniques – Information security management systems – Overview and vocabulary

ISO/IEC 27001:2017 – Information technology – Security techniques – Information security management systems – Requirements

ISO/IEC 27002:2017 – Information technology – Security techniques – Code of practice for information security management.

ISO/IEC 27005:2018 – Information technology – Security techniques – Information security risk management

ISO 31000:2018 – Risk management – Principles and guidelines

IEC 31010:2019 – Risk management – Risk assessment techniques

US National Institute of Standards and Technology

https://csrc.nist.gov/publications/PubsSPs.html

NIST SP 800-30 Revision 1, September 2012 – Guide for Conducting Risk Assessments.

NIST SP 800-53 Revision 5 Recommended Security Controls for Federal Information Systems and Organizations (2020)

UK Institute of Risk Management

www.theirm.org/

The Risk Management Standard (2002)

Information Security Forum (ISF)

www.securityforum.org

The Standard of Good Practice for Information Security (2020)