SOLUTION: GUST ERM Information Security Risks by Adopting Standards ISO 27001 Standard Essay

Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
Addressing Information Security Risks by Adopting
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan

P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail:
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be completely eliminated,
they need to be reduced to acceptable levels.
Acceptable risks are risks that the business decides
to live with, given that proper assessment for these
risks has been performed and the cost of treating
these risks outweighs the benefits.
To this effect, enterprises spend considerable
resources in building proper information security
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
risk management programs that would eventually
address the risks they are exposed to. These
programs need to be established on solid
foundations, which is the reason why enterprises
look for standards and frameworks that are widely
accepted and common across enterprises [4].
However, the fact that several standards and
frameworks exist make it challenging for
enterprises to select which one to adopt and the
question: “which is the best?” warrants further
investigation. The main objective of this paper is
to provide an answer to this question, thereby
assisting enterprises in developing proper
understanding of the issue and establishing
successful information security risk management
programs. This paper provides an analysis of some
existing standards and frameworks for information
security risks and consolidates various aspects of
the topic. It also presents the challenges that
frustrate information security risk management
efforts along with how leading market standards
and practices can be used to address information
security risks with insights on their strengths and
Please note that the scope of this paper is
limited to the following frameworks: ISO 27001,
ISO 27002, ISO 27005, ITIL, COBIT, Risk IT,
Basel II, PCI DSS, and OCTAVE. These are the
most commonly used frameworks in the market
[5]. Other frameworks and methodologies like
RMF (by NIST) and M_o_R (by GOC) can be
considered in future work. It is also important to
mention that this paper is not intended to promote
a specific standard or framework; rather it treats
them equally. Conclusions drawn as a result of this
work are based on our detailed analyses, research,
literature review, and observations from our work
experience and engagements with clients from
various sectors in the field of information security.
The remainder of this paper is organized as
follows: section 2 highlights some related work;
section 3 details some challenges that disturb
information security risk assessments; section 4
provides an overview of the major drivers for
standards adoption; section 5 provides detailed
analyses and exploration for the standards and
frameworks in scope; section 6 details with the
strengths and weaknesses of these standards and
frameworks when used as a means to address
information security risks; section 7 captures the
selection considerations to use; section 8 provides
some recommendations along with the proposed
approach; section 9 presents a case study to
illustrate the benefits of the proposed selection
method; finally, section 10 puts forward some
conclusions and future research opportunities in
relation to our work.
2. Related Work
The literature on information security risk
management based on international standards is
scarce. The literature lacks studies that guide
organizations in selecting the standard that fits
their needs. Some research works attempt to
analyze existing information security risk
management standards, mainly ISO 27001 [6].
However, these research works focus mainly on
listing advantages and disadvantages of these
standards and how to implement and manage
them. No comprehensive studies have been done to
holistically compare various frameworks, with the
objective of providing selection criteria for the best
standard or proposing a better assessment
approach. Some papers dealt with frameworks
such as COBIT, ITIL, and ISO 17799, as means to
manage compliance requirements [7]. Ref. [8]
proposes a framework which considers global,
national, organizational, and employee standards
to guide information security management. Ref.
[9] presents framework of information security
standards conceptualization, interconnection and
categorization to raise awareness among
organizations about the available standards
(mainly ISO series).
As well as exploring existing frameworks used
in IT risk management this paper presents the
challenges facing organizations to successfully
implement information security risk assessments
and the drivers for standards adoption. The main
and novel contribution of our research work is the
proposal of a practical approach to selecting an
appropriate framework to address information
security risks.
3. Challenges to Information Security Risk
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
Some of the common challenges to information
security risk assessments are discussed briefly in
this section. In fact, these challenges represent
critical failure factors for an information risk
management program.
1) Absence of senior management commitment &
support: Management’s buy-in and support is a
critical driver for the success of any IT project,
including information security risk assessments.
Absence of management commitment will
result in wasting valuable resources and efforts,
producing weak evaluations, and most
importantly, will lead to ignoring the
assessment findings [10].
2) Absence of appropriate policies for information
security risk management: It is crucial to have
information security policies in place to reflect
the enterprise objectives and management
directions. Although some policies might be
created, information security risk management
policies tend to be dropped or forgotten. In a
research conducted by GAO, the US
Government Accountability Office, three out of
four detailed case studies showed that despite
the fact that firms used to have some form of
information security risk assessment approaches
practiced for several years, the risk management
and assessment policies and processes were not
documented until recently [11]. The absence of
this critical steering document will lead to
unstructured risk assessment approaches and
will openly allow unmanaged evaluations.
3) Disintegrated GRC efforts: The increasingly
popular term GRC refers to three critical areas:
Compliance. According to COBIT 4.1, IT
Governance is defined as “the responsibility of
executives and the board of directors, and
consists of the leadership, organizational
structures and processes that ensure that the
enterprise’s IT sustains and extends the
organization’s strategies and objectives” [12].
Risk management is a process through which
management identifies, analyses, evaluates,
treats, communicates, and monitors risks that
might adversely affect realization of the
organization’s business objectives. Compliance
is about making sure that external laws,
regulations, mandates and internal policies are
being complied with at a level consistent with
corporate morality and risk tolerance.
Governance, risk, and compliance should
always be viewed as a continuum of interrelated
functions, best approached in a comprehensive,
integrated manner. The disintegration results in
increased failure rates, waste of resources, and
increased overall assurance cost.
4) Improper assessments management: Despite the
importance of security risk assessments, they
are mostly not managed as projects and merely
considered as part of IT normal operations.
Considering security risk assessments as part of
IT routine assignments will exclude these
assessments from business review and
consequently will result in a definite disconnect
between management and their enterprise
exclusion will also increase the possibilities of
executing over-budget assessments that will
only cause additional efforts and resources to be
5) Assets ownership is either undefined or
unpracticed: In ISO 27001 “the term ‘owner’
identifies an individual or entity that has
approved management responsibility for
controlling the production, development,
maintenance, use and security of the assets.
[13]. This definition entails major responsibility
granted to the person who is assigned the
ownership which includes making sure that
proper controls are actually implemented in
order to protect the asset. Information security
standards, best practices and mandates like ISO,
COBIT, and ITIL require that information
assets are identified, inventoried, and ownership
is assigned. This is crucial for the success of
any information security assessment. Most
organizations fail to develop comprehensive
information assets inventories and accordingly
do not assign ownership [14].
6) Limitations of existing automated solutions:
Software solutions for information security risk
assessment are developed to aid in the
automation of this process and to make it more
efficient. In a detailed comparison conducted by
“Risk Assessment Accelerator”, seven common
solutions were compared with respect to more
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
than forty different areas [15]. Features like
ease of use, multi-language and client-server
architecture support were highlighted as
existing limitations in four up to five of these
solutions. Three out of the seven compared
solutions provide limited customization
capabilities for both built-in inventories (for
risks, vulnerabilities and threats) and the
generated dashboards. All these weaknesses and
limitations degrade enterprises’ efforts to have
efficient and reliable information security risk
assessment requirements documentation.
7) Existence of several IT risk assessment
frameworks: The existence of many information
security risk management and assessment
frameworks add to the ambiguity and challenge
of what is the best one to use. As a matter of
fact, analyses of exiting risk assessment
frameworks show that there is no one-size-fitsall solution to this issue as it is hard to develop
a single precise document that will address the
needs of all enterprises given their variant
natures and requirements.
and involvement and establishing a mechanism for
measuring the success of the security controls are
some other key drivers for the adoption of
5. Leading Market Best Practices Standards
The conclusion section should emphasize the
main contribution of the article to literature.
Authors may also explain why the work is
important, what are the novelties or possible
applications and extensions. Do not replicate the
abstract or sentences given in main text as the
In this section, an overview is presented of a
number of the more important standards for
information security risk management. For detailed
information about these standards, the reader is
encouraged to consult the references provided for
them. The list of standards presented is absolutely
not complete, and as mentioned before a subset of
the existing standards are treated in this paper.
4. Drivers for Standards Adoption
In order to address their information security
risk management and assessment challenges,
frameworks or best practices. Standards in general
are meant to provide uniformity that would ease
the understanding and management of concerned
areas. Businesses find themselves in need to adopt
standards for various reasons which vary from
business requirements to regulators and
compliance mandates. Establishment of proper
corporate governance, increasing risk awareness
and competing with other enterprises are some
business drivers to mention. Some firms pursue
certifications to meet market expectations and
improve their marketing image. A major business
driver for standards adoption is to fill in the gaps
and lack of experience in certain areas where firms
are not able to build or establish proprietary
standards based on their staff competencies [16].
The ISO 27000 is a series of standards, owned
by the International Standards Organization,
focusing on information security matters. For the
purposes of this work, ISO 27001, ISO 27002, and
ISO 27005 will be explored to highlight their
strengths and weaknesses in relation to current
demands for effective and robust frameworks for
information security risk assessments.
Providing confidence to trading partners,
stakeholders, and customers, reducing liability due
to unimplemented or enforced policies and
procedures, getting senior management ownership
ISO 27000 Set
ISO 27001: The ISO 27001 standard is the
specification for an Information Security
Management System (ISMS). The objective of the
standard is to specify the requirements for
establishing, implementing, operating, monitoring,
reviewing, maintaining, and improving an
Information Security Management System within
an organization [13]. It is designed to ensure the
selection of adequate and proportionate security
controls to protect information assets. It is seen as
methodology dedicated to information security
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
The standard introduces a cyclic model known
as the “Plan-Do-Check-Act” (PDCA) model that
aims to establish, implement, monitor and improve
the effectiveness of an organization’s ISMS. The
PDCA cycle has these four phases:
 Plan – establishing the ISMS
 Do – implementing and operating the ISMS
 Check – monitoring and reviewing the ISMS
 Act – maintaining and improving the ISMS
Organizations that adopt ISO 27001 in their
attempt to pursue an effective means for
operational information security risk management
overlook the fact that this standard was designed to
be used mainly as an ISMS framework – at the
high level, not operational level – founding proper
bases for information security management. ISO
27001 document mentions valuable details on
information security risk assessment – mainly in
the statements 4.2.1.C thru 4.2.1.H that can be
used as selection criteria for a proper information
security risk assessment approach that builds upon
the controls list proposed by the standard.
ISO 27002: ISO 27002 is a code of practice
that provides suggested controls that an
organization can adopt to address information
security risks. It can be considered an
implementation roadmap or extension to ISO
27001. As stated in the standard document, the
code of practice is established to provide
“guidelines and general principles for initiating,
implementing, maintaining, and improving
information security management within an
organization” [17]. The controls listed in the
standard are intended to address the specific
requirements identified via a formal risk
assessment. The standard is also intended to
provide a guide for the development of
“organizational security standards and effective
security management practices, and to help build
confidence in inter-organizational activities” [18].
ISO 27002 as the Code of Practice is best suited to
be used as a guidance and direct extension to ISO
27001. ISO 27002 is used by enterprises as the
sole source of controls and a means for
information security risk assessment, however, not
all controls are mandated as firms’ structures and
businesses vary. Controls selection must be done
based on detailed and structured assessment to
determine which specific controls are appropriate
and which are not.
This standard contains guidelines and best
practices recommendations for these 10 security
domains: Security Policy; Organization of
Information Security; Asset Management; Human
Resources Security; Physical and Environmental
Security; Communications and Operations
Management; Access Control; Information
Maintenance; Information Security Incident
Management; Business Continuity Management;
and Compliance.
Among these 10 security domains, a total of 39
control objectives and hundreds of best-practice
information security control measures are
recommended for organizations to satisfy the
control objectives and protect information assets
against threats to confidentiality, integrity and
ISO 27005: ISO 27005 standard was proposed
to fill in the gaps existing in ISO 27001 and ISO
27002 in terms of information security risk
management. The standard builds up on the core
that was introduced in ISO 27001 – reference
statements 4.2.1.C thru 4.2.1.H – and elaborates by
identifying inputs, actions, implementation
guidelines, and outputs for each and every
statement. However, during our research we
realized that the adoption of this standard as a
means for information security risk management is
minimal. This was evident in “The Open Group”
efforts to support ISO 27005 adoption by releasing
a free detailed technical document – called
ISO/IEC 27005 Cookbook – that uses ISO 27005
as a cornerstone for a complete risk management
met …
Purchase answer to see full

Order a unique copy of this paper
(550 words)

Approximate price: $22

Our Basic features
  • Free title page and bibliography
  • Plagiarism-free guarantee
  • Unlimited revisions
  • Money-back guarantee
  • 24/7 support
Our Options
  • Writer’s samples
  • Expert Proofreading
  • Overnight delivery
  • Part-by-part delivery
  • Copies of used sources
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

AcademicWritingCompany guarantees

Our customer is the center of what we do and thus we offer 100% original essays..
By ordering our essays, you are guaranteed the best quality through our qualified experts.All your information and everything that you do on our website is kept completely confidential.

Money-back guarantee always strives to give you the best of its services. As a custom essay writing service, we are 100% sure of our services. That is why we ensure that our guarantee of money-back stands, always

Read more

Zero-plagiarism tolerance guarantee

The paper that you order at is 100% original. We ensure that regardless of the position you are, be it with urgent deadlines or hard essays, we give you a paper that is free of plagiarism. We even check our orders with the most advanced anti-plagiarism software in the industry.

Read more

Free-revision guarantee

The thrives on excellence and thus we help ensure the Customer’s total satisfaction with the completed Order.To do so, we provide a Free Revision policy as a courtesy service. To receive free revision the Academic writing Company requires that the you provide the request within Fifteen (14) days since the completion date and within a period of thirty (30) days for dissertations and research papers.

Read more

Privacy and Security policy

With, your privacy is the most important aspect. First, the academic writing company will never resell your personal information, which include credit cards, to any third party. Not even your lecturer on institution will know that you bought an essay from our academic writing company.

Read more

Adherence to requirements guarantee

The academic writing company writers know that following essay instructions is the most important part of academic writing. The expert writers will, therefore, work extra hard to ensure that they cooperate with all the requirements without fail. We also count on you to help us provide a better academic paper.

Read more

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2020 at 10:52 AM
Total price:
The price is based on these factors:
Customer Academic level
Number of pages required
Urgency of paper