A Framework for the Management of Information Security Risks

1. Introduction

This paper examines a number of the issues that relate to the

management of risks to information systems or ICT

supported processes. The risk management framework that

is detailed has been developed to meet the requirement for

use by BT on both its internal systems and for development

as a service to its customers.

Before setting out on the development of a framework, a

number of existing methodologies [1—7] were reviewed to

determine whether any of the current frameworks or

methods met the BT requirement for a single, scalable

framework that could be applied to both its own systems and

the full range of systems that belong to its customers. While

many of them partially satisfied the requirement, none of

them fully satisfied the requirement.

In ISO 27001:2005, ‘Information technology —

information security management systems — requirements',

one of the four key process approaches encourages its users

to emphasise the importance of implementing and

operating controls to manage an organisation's information

security risks. Moreover, information security risks must be

managed in the context of the organisation's overall

business risks. The issue of risk is approached in a number of

ways and the approach will be dependent on the type of

organisation and its risk appetite (the level of its willingness

to accept risk).

Risk, in one form or another, is fundamental to all

organisations. All of them are constantly exposed to, and

have to deal with, a range of different types of risk. Some will

embrace risk where they feel that it offers the opportunity

for greater reward, while others are more conservative and

will be considered risk averse. All will seek to ‘treat' the risks

that they identify and will attempt to reduce their exposure

to