Background

Selecting a security risk management standard to apply in the conduct of assessments and ongoing risk mitigation is a fairly straight forward process. There are several notable standards , starting with ISO 31000 – Risk management guidelines.

As a generic/scope agnostic standard, ISO 31000 offers little specialist security guidance, but it does present the general structure for conducting a risk assessment and maintaining a program.

Specialist Standards

ISO 27005:2018 – Information security risk management, is also a useful standard. The general methodologies detailed within it are applicable, and indeed similar to, those applied beyond cyber security, such as within the protective security domain. It is interesting to see how closely aligned cyber and protective security are in this respect.

ISO 28000:2007 Security management systems for the supply chain, is a favourite among international organisations, and naturally those with vulnerable supply chains. From a risk assessment/management perspective though, this was designed to take a lead from specialist guidance, such as ISO 20858:2007 Ships and marine technology — Maritime port facility security assessments and security plan development, and indeed standards like ISO 27005.

_________________________________________

RELATED ARTICLES: What is Enterprise Security Risk Management? | What Are Risk Criteria, Scope And Risk Tolerance?How To Use A Risk Matrix | What Is A Risk Assessment Template?What Is A Risk Assessment Matrix? | What’s In A Good Security Risk Assessment?

_________________________________________

Study by Edith Cowan University

An interesting study [1] was conducted by Prof. David Brooks and Hamish Cotton, of Edith Cowan University, back in 2011. I scanned it, but was distracted with other things at the time. In revisiting it recently, I am uncertain whether much has changed. It also caused me to ponder what the state of affairs was further afield from the Asia-Pacific region.

Titled “Security risk management in the Asia Pacific region: what are security professional using?”, the study objectives were as follows:

The study addressed a discrete Research Question, namely: What risk management standard or framework do security practitioners use in the Asia Pacific region? This overarching question allowed a number of discrete issues to be considered, such as the use of “in country” or “home country” security risk standards and frameworks? In addition, are there separate APAC “in country” security risk management standards and finally, do nation-states issues affect security risk management across the region?

Conducted through a survey method, and with a small sample size of 35 involved, it is understood that respondents (at least those initially contacted) were nonetheless prominent in the security management community. Otherwise were invited through “snowball effect”.

In the context of this article, key findings of the study include:

  • A significant number of the respondents indicated that the in-country nation-states did not have a risk management standard.
  • Both ISO 31000 and AS/NZS 4360 are reflected as the two most popular responses after “no risk management standard”; however, there is a levelling over the remaining frameworks that indicates that although ISO 31000 is often the “in-country” risk framework, many other frameworks are in place among the various APAC nation-states.
  • “…no risk management standard” remains the most popular approach (Figure 1 below). Of the companies surveyed, the most used framework was ISO 31000 with internal risk management standards proving to be the next most popular approach.”

 

Figure 1: Security risk frameworks and standards used in Asia-Pacific [1]

 

It is interesting to read respondents’ answers to the question “What are the in-country nation-state risk management issues?” One might argue that little has changed in these concerns:

  • Abide by the law.
  • Ensuring compliance with State Laws, including Industrial laws.
  • Legal obligations. Good Corporate Citizenship and obtaining “buy in” from local employees.
  • Corruption, ISPS and processes for obtaining assigned Government security support.
  • Remain vigilant, as people will attempt to defraud you from within and extort you from outside.
  • Host country issues most relevant to the multi-national I work for are commercial (tax, residency, legal etc).
  • A very open-ended question. XXXX1 being a diverse and vibrant country attracts a great deal of foreign investment, entities operating within confronted with diverse and vibrant threats and risks.
  • Legislative changes.
  • Political, IR/HR issues, workplace safety, regulatory/compliance matters.
  • There should be local legislations that are compulsory for companies to follow.
  • Regulatory requirements.
  • Legislative requirements that require compliance within an in-country set of standards and may differ from global internal company standards.
  • Need to be globally consistent, but regionally flexible.
  • (1) The English common law “duty of care” principle; (2) legal aspects pertaining to negligence; (3) occupational health and safety laws; & local fire safety codes.
  • Business Continuity Management issues.
  • Local regulatory requirements pertaining to business and corporate governance.
  • Legal frameworks, HSE, cultural issues, risk acceptance
  • Local procurement process, including the need to have a local company as a representative.”[1]

Local Australian Practices

Beyond the study itself, it is also interesting to note that Australian practitioners are still equipped with Handbook (HB) 167:2006 – Security risk management. This is a dated document, and while currently under review, still provides a broad reference text for conducting security risk management in multiple contexts.

HB167 is buttressed by the Security Risk Management Body of Knowledge (SRMBoK), and its alter-ego/contemporary cousin, the Security Risk Management Aide-Memoire (SRMAM).

Both support cyber and protective/traditional security risk practices, and practitioners are free to then reach out to international texts/standards for other requirements (e.g. for formal certification, or to demonstrate international consistency etc.)

Yours in security risk management,

Konrad Buczynski

Konrad was a graduate of the Royal Military College Duntroon and served as an Australian Army Officer and telecommunications specialist until 2001. He has held roles as Director of the Australian Centre for Security Management and Chief Security Officer and Crisis/Business Continuity Program Manager at Thales Australia-New Zealand, the region’s largest Defence Prime Contractor at the time.

A Certified Practising Risk Manager, Registered Security Professional, member of numerous security working groups and technical committees and designer and author of innumerable security risk management programs, Konrad was the architect and co-founder of SECTARA. He is a company Principal and SECTARA’s Managing Director.

Did you known that the Security Risk Management Aide Memoire (SRMAM) is free to all SECTARA subscribers (yes, even on the free plan).

How to get started with SECTARA

If you see the same great benefits that we do in SECTARA, there are several methods to get started:

[1] D. Brooks and H. Cotton, “Security risk management in the Asia Pacific region: What are security professional using?,” Edith Cowan University, 2011. [Online]. Available: https://ro.ecu.edu.au/ecuworks2011/35/. [Accessed 21 May 2020].