How FAIR & ISO 27001 Work Together

February 9, 2021  Joe Vinck

We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.

The answer is yes -- by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.

Joe Vinck is a RiskLens Strategic Account Executive

Besides the NIST CSF, organizations in financial services, web services or others that handle sensitive data often also seek to reassure customers and management with certification in the ISO 27000 set of standards, particularly ISO 27001, requirements for information security management systems (ISMS) and ISO 27005, requirements for implementation of information security based on a risk management approach.

FAIR-ISO-2700-RM-Process-768x768These ISO standards help organizations maintain the security of their information assets by recommending types of security controls and processes. They also help to define a risk strategy based on business needs to mitigate risk across the enterprise and continually monitor and communicate progress in a methodical fashion – as shown in this schematic.

While ISO 27001 and the like are highly useful as compliance standards, and signs of a certain level of maturity for security organizations, they can’t answer on the basics that any organization would like to know, such as “How much risk do we have?” and “If we invest in security controls, how much less risk will we have?”—questions that can only be answered with a method to quantify risk in financial terms.

The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.

Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.

RiskLens-Platform-Top-Risks-Quantify-Key-Cyber-Risks-for-New-AcquisitionsFAIR and RiskLens can be used to:

  • Identify top risks in financial terms for loss exposure
  • Evaluate the efficacy of risk treatments for risk reduction in terms of probable dollar savings
  • Fulfill the spirit of ISO 27001 by effectively communicating on cyber risk in the language that the enterprise best understands.

In sum, FAIR can be used as a complementary risk analytics model to get the highest business value from ISO 27001 and related programs.

The RiskLens SaaS platform enables the practical use of FAIR analysis, with a guided workflow, built-in data libraries and automated, flexible analysis and reporting. Platform capabilities include:

  • Rapid Risk Assessments, completing in 15-30 minutes what typically takes weeks in conventional risk analysis
  • Risk Treatment Analysis to compare on a cost/benefit basis the options for controls
  • Granular analysis across risks to identify threat actors or assets that pose the greatest probable exposure to loss.
RiskLens is already serving large IT, financial and other ISO 27001-certified organizations. Talk to us about implementing RiskLens and FAIR to maximize the business value of your ISO 27000 program.