School of Computer and Information Science, Edith Cowan University, Perth, Western Australia
The information security management standard ISO/IEC 27001 is built on the notion that information security is driven by risk assessment and risk treatment. Fundamental to the success of risk assessment and treatment is the decision making process that takes risk assessment output and assigns decisions to this output in terms of risk treatment actions. It is argued that the effectiveness of the management system lies in its ability to make effective, easytoimplement and measurable decisions. One of the key issues in decision making is ownership. In this paper two aspects of information security ownership are considered: ownership of the asset (as per the ISO/IEC 27001 definition) and ownership of the risk treatment actions. This paper discuses how traditional information security risk assessment methodologies confuse the ownership issue and raises the question as to whether this is simply because they are rebadged computer security risk assessment methodologies or because the significance and the complexity of ownership is underestimated in many forms of information security risk assessment. This paper also presents some observations from practical attempts at implementing an organisationwide information security risk assessment methodology. The observations were made as part of ISO/IEC 27001 certification assessment visits.