ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational...
Transcript of ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational...
![Page 1: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/1.jpg)
©Gamma Secure Systems Limited, 2007
ISO/IEC 27001: Mapping to Operational Risk under Basel II
Dr. David Brewer, FBCS, MIOD
Conference of IT Heads of Banks, RBI, CAB, Pune 22 September 2007
![Page 2: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/2.jpg)
©Gamma Secure Systems Limited, 2007
Agenda
Basel II
A taxonomy of risk
Measuring effectiveness
Internal control
Summary and conclusionsMapping to
ISO/IEC 27001
![Page 3: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/3.jpg)
©Gamma Secure Systems Limited, 2007
BASEL II
![Page 4: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/4.jpg)
©Gamma Secure Systems Limited, 2007
Basel II
Extends credit/market risk provisions of Basel 1 to operational risk
The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events
Encourages establishment of effective internal control to release Tier 1 capital
Can you demonstrate effective control to satisfaction of the regulators?
![Page 5: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/5.jpg)
©Gamma Secure Systems Limited, 2007
Operational risk
Includes legal risk
Excludes strategic and reputational risk
Can use:Basic indicator approachStandardised approachAdvanced measurement approaches
![Page 6: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/6.jpg)
©Gamma Secure Systems Limited, 2007
Basic indicator approach
No qualifying criteria
Bottom line 15%
Capital charge
Annual gross income (+ve)
15%
# years (max 3) of +ve income
![Page 7: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/7.jpg)
©Gamma Secure Systems Limited, 2007
Standardised approach
Qualifying criteria
Eight business lines
Possible alternative approachfor retail/commercial banking
International banks are expected to do this
Bottom line: could be more than 15%, could be less
Capital charge
Annual gross per business line (last 3 years) 12-18%
![Page 8: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/8.jpg)
©Gamma Secure Systems Limited, 2007
Advanced approaches
You decide
Within various constraints…
![Page 9: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/9.jpg)
©Gamma Secure Systems Limited, 2007
Qualifying criteria
Both standardised and advanced approaches require a sound system of internal control with director/senior management oversight (as a minimum)
![Page 10: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/10.jpg)
©Gamma Secure Systems Limited, 2007
Basel intentions
Sound, measurable internal control
Director/senior management participation
Documentation, records
Continual improvement
Systematic, well argued approach backed by real data
![Page 11: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/11.jpg)
©Gamma Secure Systems Limited, 2007
Mapping to ISO/IEC 27001
ISO/IEC 27001 requires:Director/senior management oversightSound risk management frameworkDocumentationMeasurementsRepeatable/reproducible resultsFeedback, both internal and external
Not a bad match…
Information security is part of operational risk
![Page 12: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/12.jpg)
©Gamma Secure Systems Limited, 2007
A TAXONOMY OF RISK
![Page 13: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/13.jpg)
©Gamma Secure Systems Limited, 2007
A taxonomy of risk
Credit, Market and Operational Risk
CREDIT RISK
MARKETRISK
OPERATIONAL RISK
1
2
345
![Page 14: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/14.jpg)
©Gamma Secure Systems Limited, 2007
A taxonomy of risk
Credit, Market and Operational Risk
CREDIT RISK
MARKETRISK
OPERATIONAL RISK
1
2
345
The creditor defaults
3. Unacceptable quality4. Overheads too high5. Unable to complete the job
10. Delivery too late
1. Invoice not raised2. Work outside contract
![Page 15: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/15.jpg)
©Gamma Secure Systems Limited, 2007
Operational risk - 1
Invoice not raised:How do you ensure all invoices that should be raised are issued, and issued correctly?
IT solutions:Substantive auditCorrectness of billing systemCustomer authentication….
Integrity
Failure of internal control in respect of CREDIT risk
![Page 16: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/16.jpg)
©Gamma Secure Systems Limited, 2007
Operational risk - 2
Mark to market:How do you ensure the valuation of futures are in accordance with the rules?
IT solutions:Automated test programs to detect:
• Correspondence to reality• Database anomalies• Rate curve is valid• Valuation by trade
Integrity
Failure of internal control in respect of MARKET risk
![Page 17: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/17.jpg)
©Gamma Secure Systems Limited, 2007
Operational risk - 3
Customer details leaked:How do you ensure customer data is not given to unauthorised people?
IT solutions:Caller authenticationAccess controlWebsite designFirewalls….
Confidentiality (Data Protection Act)
General OPERATIONAL risk
![Page 18: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/18.jpg)
©Gamma Secure Systems Limited, 2007
Operational risk - 4
Operator error:What do you do if someone makes a mistake?
IT solutions:Access controlCheck and releaseBack-upAudit….
Integrity
General OPERATIONAL risk
![Page 19: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/19.jpg)
©Gamma Secure Systems Limited, 2007
Operational risk - 5
Disaster:What do you do if the computer breaks?(part of business continuity)
IT solutions:Back-upHot, warm standbyDisaster recovery site…
Availability
General OPERATIONAL risk
![Page 20: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/20.jpg)
©Gamma Secure Systems Limited, 2007
Mapping to ISO/IEC 27001
Computers play a major role
All sorts of things can go wrong
Information security is a significant component of operational risk
ISO/IEC 27001 addresses this:Risk assessment/risk treatmentIncident handlingA comprehensive AIL of 133 controls
![Page 21: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/21.jpg)
©Gamma Secure Systems Limited, 2007
MEASURING EFFECTIVENESS
![Page 22: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/22.jpg)
©Gamma Secure Systems Limited, 2007
The “Time” model
![Page 23: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/23.jpg)
©Gamma Secure Systems Limited, 2007
Event-impact relationship
“… detect the event in sufficient time to do something positive about it… “
See http://www.gammassl.co.uk/topics/time/index.html
There is a fundamental principle of internal control (and thus ISMS):
![Page 24: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/24.jpg)
©Gamma Secure Systems Limited, 2007
Fundamental model (too late)
Cost of ICS, CICS
Cost of business activities, CBA
Time
Mon
ey ( £
)
Revenue, R
P
TE TW
P
TM TF
PP
![Page 25: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/25.jpg)
©Gamma Secure Systems Limited, 2007
Fundamental model (in time)
Cost of ICS, CICS
Cost of business activities, CBA
Time
Mon
ey ( £
)
Revenue, R
P
TE TWTD TF
P
![Page 26: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/26.jpg)
©Gamma Secure Systems Limited, 2007
Control spectrum
Fails to detect the event and does not have a BCP7
Fails to detect the event but does have a BCP6
ReactiveFails to detect the event but has a partially deployed BCP5
Detects the event but cannot react fast enough to fix it within the time window
4
Detects the event and just reacts fast enough to fix it within the time window
3
DetectiveDetects the event and reacts fast enough to fix it well within the time window
2
PreventivePrevents the event, or detects the event as it happens and prevents it from having any impact
1
TypeAbility to detect the event and take recovery action
Class
![Page 27: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/27.jpg)
©Gamma Secure Systems Limited, 2007
Effectiveness
Theory and Practice
![Page 28: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/28.jpg)
©Gamma Secure Systems Limited, 2007
Mapping to ISO/IEC 27001
ISO/IEC 27001 requires measurement of the effectiveness of controls
This is one way to do it (and probably the best)
![Page 29: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/29.jpg)
©Gamma Secure Systems Limited, 2007
Event – driven Risk Treatment plans
![Page 30: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/30.jpg)
©Gamma Secure Systems Limited, 2007
Risk treatment plans
Threat
AdverseImpact
Vulnerability
Asset
Exploits
Violates
Causes
Event
What is the risk?
What shall we do?
Accept the risk
Transfer the risk
Mitigate the risk
Select the controls
Treat the risk
Avoid the risk
Choose the appropriate controls
Proportionality controls should be commensurate with the risk
Decide which of the 133 controls in Annex A are applicable
![Page 31: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/31.jpg)
©Gamma Secure Systems Limited, 2007
Tell it like a story
Predicated on “Time Model”
Repeats the question “what if it doesn’t work”
Expressed in business terms in language everyone can understand
![Page 32: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/32.jpg)
©Gamma Secure Systems Limited, 2007
Options for treating risk
Avoid the risk
Accept the risk
Transfer the risk
Mitigate the risk
![Page 33: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/33.jpg)
©Gamma Secure Systems Limited, 2007
Overview
![Page 34: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/34.jpg)
©Gamma Secure Systems Limited, 2007
An example
![Page 35: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/35.jpg)
©Gamma Secure Systems Limited, 2007
Typical IS events and impactsTheft
Acts of God, vandals and terrorists
Fraud
IT failure
Hacking
Denial of service
Disclosure
Breach of the law
Inappropriate deployment of people
Adverse press coverage
Organisation ceases trading
Inability to carry out all or some of its business
Loss of customer confidence
Loss of revenue
Increased costs
Prosecution
Covers all 133 controls
![Page 36: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/36.jpg)
©Gamma Secure Systems Limited, 2007
Basel II required events
Internal fraud
External fraud
Employment Practices and Workplace Safety
Clients, Products & Business Practices
Damage to Physical Assets
Business disruption and system failures
Execution, Delivery & Process Management
![Page 37: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/37.jpg)
©Gamma Secure Systems Limited, 2007
Mapping to ISO/IEC 27001
ISO/IEC 27001 requires an assessment to be performed but does not specify how to do it
The Brewer-List methodology is appropriate
Basel II specifies certain event loss types
Use these to design the Risk Treatment Plans
Supplement with other RTPs to deal with other operational risks
Note that insurance is recognised by ISO/IEC 27001 as a particular mode of risk treatment
![Page 38: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/38.jpg)
©Gamma Secure Systems Limited, 2007
Effectiveness Measurement
![Page 39: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/39.jpg)
©Gamma Secure Systems Limited, 2007
A methodQ1 - Did the controls work as designed?
Q2 - If they did, should they be improved?
Q3 - in either case, is there a training issue?
Q4 - is there a process issue?
Q5 - is there a technical issue?
Q6 - is there a RTP design issue?
![Page 40: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/40.jpg)
©Gamma Secure Systems Limited, 2007
Mapping to ISO/IEC 27001
ISO/IEC 27001 requires the measurement to be done but does not specify how to do it
The time theory provides the basis of such a method
Tailor it to your bank’s specific ways of doing things and the Basel II requirements (for AMA)
![Page 41: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/41.jpg)
©Gamma Secure Systems Limited, 2007
INTERNAL CONTROL
![Page 42: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/42.jpg)
©Gamma Secure Systems Limited, 2007
Corporate governance… a result of scandals … investing public … being "ripped off" …conduct of senior executives
South Sea Bubble, Kruger, Salad Oil company, Equity Funding, Polly Peck, Maxwell Pensions, Enron, WorldCom …
New laws/regulations … anti discrimination, privacy protection, product quality, environment etc.
Turnbull, OECD, Sarbanes-Oxley, EU directive
![Page 43: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/43.jpg)
©Gamma Secure Systems Limited, 2007
Internal control
A WORD OF WARNING
In US Only financial reporting
In UK Everything
In INDIA Rule 49 Financial reporting + risk management
Definitions differ around the world!
![Page 44: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/44.jpg)
©Gamma Secure Systems Limited, 2007
Research conclusions
A conclusion of the Time paper was that (ISO) standards are just aspects of internal control
Further research identified the need for a PDCA engine to drive the system of internal control
![Page 45: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/45.jpg)
©Gamma Secure Systems Limited, 2007
A model of internal control
UK Practices Board Model + ISO/IEC 27001 + OEPs
![Page 46: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/46.jpg)
©Gamma Secure Systems Limited, 2007
Opportunity exploitation plansThe converse of events and impacts
Similar “time” theory
But not required for Basel II (because failure to exploit an opportunity is primarily a strategic risk)
Reaping the benefit Loosing the opportunity
![Page 47: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/47.jpg)
©Gamma Secure Systems Limited, 2007
Mapping to ISO/IEC 27001
ISO/IEC 27001 meets all the requirements of the PDCA engine necessary to drive a system of internal control
OEPs are not part of ISO/IEC 27001 or Basel II but can be used to justify risk exclusions
But could give a bank a considerable edge against larger international competitors
![Page 48: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/48.jpg)
©Gamma Secure Systems Limited, 2007
SUMMARY AND CONCLUSIONS
![Page 49: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/49.jpg)
©Gamma Secure Systems Limited, 2007
Summary and conclusionsBasel II extends credit/market risk to operational risk
For SA and AMA, Basel II requires a sound system of internal controls, with senior management participation
For AMA, Basel II places constraints on measurements of effectiveness and event loss types
IT security is a significant component of operational risk
ISO/IEC 27001 addresses this and provides the necessary PDCA framework
We have a method for dealing with the other Basel II operationalrisk requirements
There is an opportunity for exploiting the Basel II regulations
![Page 50: ISO/IEC 27001: Mapping to Operational Risk under Basel II · PDF fileMapping to Operational Risk under Basel II ... ISO/IEC 27001: Mapping to Operational Risk under Basel II ... Microsoft](https://reader035.fdocuments.us/reader035/viewer/2022062402/5aafe1c17f8b9adb688e3097/html5/thumbnails/50.jpg)
©Gamma Secure Systems Limited, 2007
ISO/IEC 27001: Mapping to Operational Risk under Basel II
Dr. David Brewer, FBCS, [email protected]
Any Questions?