Professional Documents
Culture Documents
ISO27k FMEA Spreadsheet 1v1
ISO27k FMEA Spreadsheet 1v1
The original version of this spreadsheet was kindly provided to the ISO27k Implementers' Forum by Bala Ramanan to dem
security risks. Subsequently, Bala kindly agreed to donate it to the ISO27k Toolkit. Apart from minor updates and reformatting
Contents
The FMEA Sample tab has the actual illustration - an analysis of possible failure modes for a firewall.
The Guidelines provide additional notes on the FMEA method, including a step-by-step process outline.
The Severity, Probability and Detectability tabs have tables demonstrating scales commonly used to rank risks by these criteria
Copyright
This work is copyright © 2008, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribu
reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commer
Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this.
Disclaimer
Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influenced by the
information assets and by the framing of risks being considered. For these reasons, the process is best conducted by a
assessing and managing information security risks, and (b) the organization, its internal and external situation with respect
anyone. It is impossible to guarantee that all risks have been considered and analyzed correctly. Some very experienced pr
and we have some sympathy with that viewpoint.
The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, HR, other su
adjusted according to their experience, so long as the expert views are taken into consideration. Remember: just because t
security risk does not necessarily mean that it can be discounted. Organizations with immature security management proces
are not even recognized, due to inadequate incident detection and reporting processes.
Important notes:
13
14
15
16
17
18
Current Controls
P
Potential Technical Potential Business S Potential Cause(s)/ r Preventive
Potential Failure Effect(s) Consequence(s) of e Mechanism(s) of o
Sl.No. Controls
Business / Service Asset Name Asset Number Function Mode(s) of Failure Failure v Failure b
Disclosure or
modification of
To block Rules not Entry for
Protecting IT business records; Procedures not
4 Assets
Firewall 5000 unauthorized appropriately External
prosecution; bad
7
followed
2
requests configured Hackers
PR; customer
defection
Inability to
process
To block Rules not
Protecting IT electronic Procedures not Procedures
9 Assets
Firewall 5000 unauthorized appropriately DDOS Attack
transactions; bad
10
followed
2
available
requests configured
PR; customer
defection
Disclosure of
To identify customer
Protecting IT CIA Procedures not Policies
7 Assets
Firewall 5000 trusted zones User awareness
Compromised
database; 5
followed
6
Defined
by encryption commercial and
privacy issues
Authentication
mechanism User may not
To identify Staff unable to
Protecting IT using legacy have access to Policies not fully Policies
5 Assets
Firewall 5000 trusted zones
systems having the requested
work; backlogs; 6
implemented
1
Defined
by encryption bad PR
improper service
configuration
Page 4
FMEA Sample
Current Controls
P
Potential Technical Potential Business S Potential Cause(s)/ r
Potential Failure Effect(s) Consequence(s) of e Mechanism(s) of o
Sl.No. Business / Service Asset Name Asset Number Function Mode(s) of Failure Disclosure
Failure or v Failure b
modification of
To block Rules not Entry for
Protecting IT business records; Procedures not Procedures
3 Assets
Firewall 5000 unauthorized appropriately External
prosecution; bad
7
followed
2
available
requests configured Hackers
PR; customer
defection
Inability to
process
To block Rules not
Protecting IT electronic Procedures not
6 Assets
Firewall 5000 unauthorized appropriately DDOS Attack
transactions; bad
10
followed
2
requests configured
PR; customer
defection
Disclosure of
To identify Encryption level Data will be customer
Protecting IT Policies not fully Policies
2 Assets
Firewall 5000 trusted zones (56 bit or 128 exposed as plain database; 7
implemented
2
Defined
by encryption bit) mismatch text commercial and
privacy issues
Page 5
FMEA Sample
Action Results
Recommended
Current Controls
Controls Implemented Controls
R
New Occ
New RPN
New Sev
New Det
Detective D P Preventive Responsibility &
Detective Controls Target Completion
Preventive
Detective Controls
e
Controls
t N Controls
Date
Controls
Business owner
1 30 Not Required Not Required to formally 5 2 2 20
accept risk
XYZ by end
5 30 User Awareness
March 2006
User Awareness 1 5 3 15
Page 6
FMEA Sample
Action Results
Recommended
Current Controls
Controls Implemented Controls
R
New Occ
New RPN
New Sev
New Det
D P Responsibility &
e Target Completion
t N Date
XYZ by end
1 14 User Awareness
March 2006
User Awareness 2 2 2 8
XYZ by end
1 14 User Awareness
March 2006
User Awareness 2 2 1 4
Page 7
Severity
None No effect 1
Page 8
Probability
Page 9
Detectability
Page 10