ISO27002 Entity Security Assessment Tool

This tool has a very specific, high-level purpose in any ISMS project, which is to quickly and clearly identify the
areas of potential security weakness (vulnerabilities) in the organizations ISMS and to identify, for each of those
areas, the probability of a threat exploiting the vulnerability and the potential impact on the organization if this
occurred. The tool is ideal for demonstrating to people within the organization (eg management or project staff)
where the key vulnerabilities are.
This assessment tool is cross-referenced to ISO/IEC 27002:2005 and deals with the 134 controls of the standard
in 33 questions. It is not a risk assessment tool and is not designed to carry out the detailed asset level risk
assessment required by the standard, as that requires a far more detailed and granular approach than is provided
for in this tool.
The tool is a self-assessment questionnaire. It cross references to the 134 controls that are in ISO27002:2005.
The default setting for the tool is that there is inadequate security in all areas, that all vulnerabilities are highly
likely to be exploited and that the impact in each case will be high. Thats why theyre all in red.
Risk question
Answers to the question in column 1 (risk question) are answered in column 2 (Compliant? Y/N/QY) with a
Y for Yes, an N for No and a QY for a Qualified Yes. Qualified yes indicates that you think that you
only partially satisfy the question. You can use either lower or upper case, as you prefer. Type the letter for your
answer into the box and the box colour will automatically change to clearly represent the answer red for no,
green for yes and yellow for a qualified yes. Risk questions that contain multiple sub-questions might give rise to
sub-answers that include yes, no and a qualified yes. Information security requires a cautious outlook: always
apply the lowest (Green is highest, red is lowest) level of sub-answer to the question as a whole.
Column 3 is available for you to record any specific comments or issues on each question; it is particularly useful
for identifying parts of the question that are not applicable to your organization, or where your organization is in
a transitional state on the issue and that the answer is therefore likely to change.
Column 6 lists the ISO/IEC 27002:2005 controls that are covered by the question. You should refer to ISO/IEC
27002:2005 itself for the details of the control requirement, to ensure that you adequately understand the
ramifications of each question being asked. Note that a number of the controls are covered by more than one
question, and this can be seen from the schedule in the third sheet, which identifies, by control, the question that
covers it.
Company probability assessment
The second stage in the process is to identify, in column 4, your assessment of the likelihood of a threat
exploiting the vulnerability given the arrangements you have in place. A structured approach to this assessment,
that involves the input of one or more experienced information security practitioners, will improve the
objectivity of your answer. If the likelihood is high, type H in the company probability assessment box for
that risk question, and the box will stay red. M means medium (yellow) L means low (green). For
instance, the absence of an information security policy means that management are unlikely to have a coherent,
systematic view of how information security should be managed, with the result that there are likely to be
substantial inadequacies in the organizations ability to respond to a range of attacks. There is a high likelihood
of such a vulnerability being exploited.
You should assess the likelihood of the vulnerability being exploited for all questions, not just for those whose
risk answer is red. The reason for this is that you want to see the overall security posture for your organization.

Company impact assessment
Column 5 is where you mark your assessment of the likely impact on the organization if this vulnerability where
to be exploited. Impacts are measured in financial terms, and should include all the likely direct, indirect and
consequential costs of the impact, including time taken to restore normal operations, lost business, etc. Again, the
three options are high (red), medium (yellow) and low (green). Again, you should assess the likely impact for all
questions, not simply those that are red.
Conclusion
The ideal information security posture will be represented by a completely green column 2 and few if any
comments in column 3. The likelihood is that columns 4 and 5 will both contain a large number of reds.
Prioritization
Most organizations will have one or more areas in which they are not compliant with the risk question, and the
likelihood of exploitation and its probable impact are high red across the row, in other words. If there is only
one such row, the security controls associated with it should be implemented as a priority. If there are more than
one such rows, you will have to compare the total financial impact for each and prioritize on the basis of tackling
the most significant area of danger first. It can be appropriate, in such circumstances, to include an assessment of
the likely cost of implementing the control and to prioritise dealing with the areas in which the potential net cost
(cost of impact less cost of control) is highest.
It is not unusual for organizations to discover that they have implemented controls for which there is no
corresponding risk probability and, unless you carry out the exercise as indicated in these instructions, you may
not uncover this situation. Wasting money on unnecessary controls is equally bad for the organizational ISMS as
having dysfunctional controls. Those risk questions for which your compliance answer is green, but for which
the probability and impact of an attack are low, may be areas in which you have over-invested in controls. You
will need to investigate these in more detail to see if there are options for reducing the level of control and
investing the released funding elsewhere.
The tool is as helpful as you are honest.