Jul 15, 2015
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 1/21
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 2/21
Introduction and acknowledgement
Contents
The FMEA Sample tab has the actual illustration - an analysis of possible failure modes for a firewall.
The Guidelines provide additional notes on the FMEA method, including a step-by-step process outline.
The Severity, Probability and Detectability tabs have tables demonstrating scales commonly used to rank risks by
Copyright
Disclaimer
An illustration of the application of Failure(FMEA) techniques to the analysis of
The original version of this spreadsheet was kindly provided to the ISO27k Implementers' Forum by Bala Ramasecurity risks. Subsequently, Bala kindly agreed to donate it to the ISO27k Toolkit. Apart from minor updates and
This work is copyright © 2008, ISO27k implementers' forum, some rights reserved. It is licensed under the Cwelcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or inImplementers’ Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms a
Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influinformation assets and on the framing of risks being considered. For these reasons, the process is best conassessing and managing information security risks, and (b) the organization, its internal and external situation
anyone. It is impossible to guarantee that all risks have been considered and analyzed correctly. Some very exand we have some sympathy with that viewpoint.
The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, adjusted according to their experience, so long as the expert views are taken into consideration. Remember: jusecurity risk does not necessarily mean that it can be discounted. Organizations with immature security manageare not even recognized, due to inadequate incident detection and reporting processes.
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 3/21
Importa
How to
1
2
3
4
5
6
7
8
9
10
11
12
14
15
16
17
18
19
Using p
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 4/21
Guideline to Carry out a Risk Assessmen
nt notes:
This method does not consider asset values. Rrisks are identified for each asset and prioritized without taking acc
The Cumulative risk for the identified asset for each threat is ascertained by the Risk Priority Number (RPN)Each asset can have more than one failure mode and for each failure mode there can be more than one cause.
For more clarification see the comments on the header in each cell of the FMEA sample worksheet
carry out the Risk Assessment (RA) using FMEA:
Identify the businesses or the services rendered by the department under the scope of RA
Compute the assets that deliver or support the business or service identified
Write down the asset number (to avoid duplication)
Write down the function of the asset in delivering or maintain the identified business or service
Now identify the failure modes for the identified function. Please note that there could be more than one failure mo
Now identify the effect, if the identified failure mode happens. That if the identified failure mode happens what will
Now refer the severity chart and choose the number relevant to the effect of the failure mode
Now identfiy the cause for the failure mode. Please note that each failure mode can have more than one cause.
Now refer to the probability chart and choose the number that is more relevant to the frequency of the cause happ
Now list down the current controls. Kindly categorize the controls as preventive and detective controls. Write each
Now refer to the detectability chart and choose a number relevant to the effectiveness of the controls.
You can now see the Risk Priority Number calculated for a failure mode of the respective asset function.
Now identify who will implement the recommended control and by what target date the recommended control wou
Refer the Probability Chart
Refer the Detectability Chart
New RPN is calculated. Compare it with the acceptable norms and if not satisfying then redo the same process.
rioritized risks
Management may decide to target, say, the top 5% of risks initially. This is an arbitrary value that can be reviewed
Following the FMEA method, the risks are assessed, RPNs calculated and then risks are ranked by RPN.
5% of 1000 (the maximum RPN value) is 50. So any RPN above 50 requires review and (probably) control improv
All risks with RPNs above 50 are identified as "HIGH RISK". This criterion is of course based on the arbitrary 5% v
If the organization is well controlled with relatively few HIGH RISK items, the 5% value may be extended to, say 15
Alternatively, if there are simply too many HIGH RISK items to tackle at once, they may be addressed in top-down
Now if the RPN is not under the acceptable value then the risk status shows "HIGH RISK", recommendation to mitdown. Kinldy list each control in separate rows.
Now if the RPN is under the acceptable value then the risk status shows "LOW RISK". Else it displays as HIGH RIrepeated from step 1.
The prioritized list of risks provides management with a rational basis for determining how much resource to applydown the list if more resources are allocated, and vice versa.
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 5/21
FMEA Sample
Page 5
Department: XYZ Department
Sl.No. Business / Service Asset Name Asset Number Function
8 Firewall 5000 IP Spoofing 8
4 Firewall 5000 7
9 Firewall 5000 DDOS Attack 10
7 Firewall 5000 User awareness 5
5 Firewall 5000 6
Potential FailureMode(s)
Potential Technical
Effect(s)of Failure
Potential Business
Consequence(s) of Failure
S
ev
Potent
MechF
Protecting ITAssets
To blockunauthorized
requests
Rules notappropriatelyconfigured
Diversion of sensitive datatraffic, fraud
Procefo
Protecting ITAssets
To blockunauthorized
requests
Rules notappropriatelyconfigured
Entry for ExternalHackers
Disclosure or modification of
business records;prosecution; bad
PR; customer defection
Procefo
Protecting ITAssets
To blockunauthorized
requests
Rules notappropriatelyconfigured
Inability to
processelectronic
transactions; badPR; customer
defection
Procefo
Protecting ITAssets
To identifytrusted zonesby encryption
CIACompromised
Disclosure of customer database;
commercial andprivacy issues
Procefo
Protecting ITAssets
To identifytrusted zonesby encryption
Authenticationmechanism
using legacysystems having
improper configuration
User may not
have access tothe requested
service
Staff unable towork; backlogs;
bad PRPolicie
impl
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 6/21
FMEA Sample
Page 6
3 Firewall 5000 7
6 Firewall 5000 DDOS Attack 10
2 Firewall 5000 7
1 Firewall 5000 Data Theft 7
Protecting ITAssets
To blockunauthorizedrequests
Rules notappropriatelyconfigured
Entry for ExternalHackers
Disclosure or modification of
business records;prosecution; bad
PR; customer defection
Prof
Protecting ITAssets
To blockunauthorized
requests
Rules notappropriately
configured
Inability toprocess
electronictransactions; bad
PR; customer defection
Prof
Protecting ITAssets
To identifytrusted zonesby encryption
Encryption level(56 bit or 128 bit)
mismatch
Data will beexposed as plain
text
Disclosure of
customer database;
commercial andprivacy issues
Policimp
Protecting ITAssets
To blockunauthorized
requests
Rules notappropriately
configured
Commercial andprivacy
consequences
Proa
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 7/21
FMEA Sample
Page 7
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 8/21
FMEA Sample
Page 8
ontrols
Action Results
Implemented Controls
N e w
S e v
N e w
O c c
N e w
D e t
Detective Controls Detective Controls
4 64 5 3 2
4 56 5 3 2
2 40 2 5 2
1 30 Not Required Not Required 5 2 2
5 30 User Awareness User Awareness 1 5 3
Det
R
PN
RecommendedControls
Responsibility &Target CompletionDate
DetectiveControls
PreventiveControls
PreventiveControls
Increase auditfrequency
XYZ by end Jan2006
Increase auditfrequency
LogMonitoring
Increase auditfrequency
XYZ by end Jan2006
Increase auditfrequency
Increase auditfrequency
XYZ by end Jan2006
Increase auditfrequency
Business owner to formallyaccept risk
XYZ by endMarch 2006
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 9/21
FMEA Sample
Page 9
ontrols
Action Results
Implemented Controls
c
R
RecommendedControls
2 28 1 4 2
1 20 1 4 2
1 14 User Awareness User Awareness 2 2 2
1 14 User Awareness User Awareness 2 2 1
Increase auditfrequency
XYZ by end Jan2006
Increase auditfrequency
LogMonitoring
Increase auditfrequency
XYZ by end Jan2006
Increase auditfrequency
XYZ by endMarch 2006
XYZ by endMarch 2006
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 10/21
FMEA Sample
Page 10
ontrols
Action Results
Implemented Controls
R
RecommendedControls
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 11/21
FMEA Sample
Page 11
N e
w
R P N
30
30
20
20
15
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 12/21
FMEA Sample
Page 12
N
8
8
8
4
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 13/21
FMEA Sample
Page 13
N
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 14/21
Severity
Page 14
Effect SEVERITY of Effect Ranking
Catastrophic Resource not available / Problem unknown 10
Extreme 9
Very High 8
High Resource Available / Major violation of policies 7
Moderate Resource Available / Major violations of process 6
Low Resource Available / Major violations of procedures 5
Very Low Resource Available / Minor violations of policies 4
Minor Resource Available / Minor violations of process
3Very Minor Resource Available / Minor violations of procedures 2
None No effect 1
Resource not available / Problem known and cannot be
controlledResource not available / Problem known and can becontrolled
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 15/21
Severity
Page 15
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 16/21
Severity
Page 16
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 17/21
Severity
Page 17
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 18/21
Severity
Page 18
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 19/21
Severity
Page 19
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 20/21
Probability
Page 20
PROBABILITY of Failure Failure Prob Ranking
Very High: Failure is almost inevitable>1 in 2 10
1 in 3 9
High: Repeated failures
1 in 8 8
1 in 20 7
Moderate: Occasional failures
1 in 80 6
1 in 400 5
1 in 2,000 4
Low: Relatively few failures1 in 15,000 3
1 in 150,000 2
Remote: Failure is unlikely <1 in 1,500,000 1
5/13/2018 ISO27k FMEA Spreadsheet - slidepdf.com
http://slidepdf.com/reader/full/iso27k-fmea-spreadsheet-55a74f747f9ea 21/21
Detectability
Page 21
Detection Likelihood of DETECTION Ranking
10
Very Remote 9
Remote 8
Very Low 7
Low 6
Moderate 5
Moderately High 4
High 3
Very High 2
Almost Certain 1
AbsoluteUncertainty
Control cannot prevent / detect potential cause/mechanismand subsequent failure mode
Very remote chance the control will prevent / detect potentialcause/mechanism and subsequent failure mode
Remote chance the control will prevent / detect potentialcause/mechanism and subsequent failure mode
Very low chance the control will prevent / detect potentialcause/mechanism and subsequent failure mode
Low chance the control will prevent / detect potentialcause/mechanism and subsequent failure mode
Moderate chance the control will prevent / detect potentialcause/mechanism and subsequent failure mode
Moderately High chance the control will prevent / detectpotential cause/mechanism and subsequent failure mode
High chance the control will prevent / detect potentialcause/mechanism and subsequent failure mode
Very high chance the control will prevent / detect potentialcause/mechanism and subsequent failure mode
Control will prevent / detect potential cause/mechanism andsubsequent failure mode