By the end of this introductory session, learners will be able to:
Analyse the Shift in Security Philosophy: Explain the evolution from "perimeter-based defence" to a modern, risk-based approach to security management.
Articulate the "Risk-First" Business Case: Justify the need for risk analysis, using industry benchmarks (IBM/Google), to secure executive buy-in and resource allocation.
Distinguish Between Frameworks: Identify the role of global security frameworks in providing a standardised "roadmap" for organisational resilience.
Define the Strategic Role of Security: Describe how the security function serves as a business enabler—balancing protection with the organisation's strategic objectives and risk appetite.
By the end of this module, learners will be able to:
Differentiate Between General and Domain-Specific Standards: Contrast the high-level enterprise principles of ISO 31000 with the information-security-specific guidance of ISO 27005.
Identify Cognitive Biases in Risk: Explain how human psychology and risk perception influence decision-making, and how standardised frameworks help mitigate these subjective biases.
Analyse the ISO 31000 Architecture and outline the relationship among the three pillars of risk management: Principles, Framework, and Process.
Select Appropriate Assessment Tools: Evaluate various risk assessment methodologies (referencing IEC 31010) to determine which qualitative or quantitative tools best suit different organisational needs.
Map the Standards Ecosystem: Describe how different ISO/IEC frameworks interlock to create a comprehensive risk management environment
Evaluate Information Security Risks: Apply both asset-based (bottom-up) and event-based (top-down) identification methodologies to achieve comprehensive visibility of threats across modern, interconnected IT ecosystems.
Execute the Risk Assessment Workflow: Navigate the multi-phased implementation process outlined in IEC 31010, encompassing context planning, model development, technique application, and analytical validation.
Formulate Objective Consequence Criteria: Construct structured, non-numerical consequence matrices across operational, legal, reputational, and safety domains to determine risk levels and overcome the systemic biases of traditional qualitative heat maps
Establish Risk Governance and Ownership: Identify and empower definitive risk owners who hold the appropriate business accountability, executive authority, and financial leverage to approve treatment plans and accept residual risk.
Architect Risk Treatment Strategies: Develop actionable Risk Treatment Plans (RTP) and Statements of Applicability (SoA) by mapping required preventive, detective, and corrective controls to ISO/IEC 27001 Annex A, while accounting for the velocity of DevSecOps and cloud-native environments.
The successful operation of an Information Security Management System depends heavily on the auxiliary processes that support core risk assessments. ISO/IEC 27005:2022 formalises these operational requirements within Clause 10, "Leveraging related ISMS processes". This section expands on the four core agenda items that are critical to maintaining a defensible risk posture.
Advanced Analytical Techniques for Modern Information Systems Context: Moving beyond the standard qualitative matrices introduced in Module 2, this module equips participants with specific, specialised frameworks (STRIDE, FMEA, Red Teaming) and structured elicitation techniques required to assess deterministic Cloud risks and highly subjective, probabilistic AI risks.
Lesson Objectives:
Differentiate Analytical Approaches: Select and apply the appropriate methodology (asset-based vs. event-based) based on the specific technological domain and threat landscape.
Execute Cloud Threat Modelling: Systematically deconstruct cloud architectures using the STRIDE framework to identify vulnerabilities before deployment.
Assess Opaque AI Vulnerabilities: Navigate the subjective nature of AI risks (e.g., model drift, bias, hallucinations) using structured expert elicitation and qualitative impact evaluation where historical data is absent.
Integrate Adversarial Findings: Translate the results of specialised testing techniques, such as AI Red Teaming and Failure Modes and Effects Analysis (FMEA), directly into formal, actionable entries in the risk register.
End-to-End Guide with Worked Examples & Templates