Combining Security Risk Assessment and Security Testing Based on Standards

Managing cyber security has become increasingly important due to the growing interconnectivity of computerized systems and their use in society. A comprehensive assessment of cyber security can be challenging as its spans across different domains of knowledge and expertise. For instance, identifying cyber security vulnerabilities requires detailed technical expertise and knowledge, while the assessment of organizational impact and legal implications of cyber security incidents may require expertise and knowledge related to risk and compliance. Standards like ISO 31000 and ISO/IEC/IEEE 29119 detail the relevant aspects of risk management and testing and thus provide guidance in these areas. However, both standards are not exclusively dedicated to the subject of security and do not cover the explicit integration between security risk assessment and security testing. We think however, that they provide a good basis for that. In this paper we show how ISO 31000 and ISO/IEC/IEEE 29119 can be integrated to provide a comprehensive approach to cyber security that covers both security risk assessment and security testing.