Which is better: One major control that is 95% effective OR 4 minor controls, each of which is 60% effective?
In applying ISO/IEC 27001:2022 to an information security management system (ISMS), one of the requirements in Clause 6.1.3.c) states: 'Compare the controls determined in 6.1.3 b) above with those of Annex A and verify that no necessary controls have been omitted.'
All too frequently, Certification Body Auditors find that this requirement, which is about risk management, results in a one-to-one relationship between applicable threats and a Control to address the risk arising. This is not surprising because Annex A, Reference control objectives and controls, is set out in a tabular format that strongly infers the adequacy of a single control for each vulnerability. Also, ISO 27002:2022, the guide to Information Security Controls, says nothing to dispel this interpretation.
While this may be accepted by your External Auditor, it is a very poor way to manage risk. The Swiss Cheese approach is far superior.
The Swiss Cheese Approach
In the fields of both Aviation Safety and Occupational Health & Safety, the Swiss Cheese Model (originally proposed by an Englishman, James Reason) has a long and proven record of effectiveness in managing risk. The model and its application are very well explained in this YouTube Video on Aviation Safety.
In this model, which is fully demonstrated in our ISO 27001 training courses, each control to reduce risk is represented as a slice of cheese. The holes in the slice represent weaknesses in individual parts of the system and are continually varying in size and position across the slices.
The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason's words) "a trajectory of accident opportunity", so that a hazard passes through holes in all of the slices, leading to a failure.
So, let's consider the question in the subtitle. Having established through risk assessment and evaluation that risk reduction measures (i.e. controls) are required, what approach should we take?
a) One major control that is 95% effective
Here the chance of failure of the control is 5 in 100 (or 5%). Or, to put it another way:
With one major control in place, the chances of successfully controlling the risk are 95.0%
b) Four minor controls, each of which is 60% effective?
In this case, we need to combine the individual chance of failure to evaluate the combined effect of the four controls.
Consider how the risk of failure decreases as we add each of the four controls.
Remembering that each is 60% effective, the chance of failure is the remaining 40%.
So, with one control in place, the chance of failure is 40%.
With two controls in place, the chance of failure is 40% x 40%. That is 16%.
With a third control in place, we get 40% x 40% x 40%. That is, 6.4 %
And add in the fourth control, we get 40% x 40% x 40% x 40%. Giving us a 2.56% chance of failure.
Therefore, with four minor controls in place, the chances of successfully controlling the risk are 97.4%.
Robust Protection against Failure
The robustness of the protection provided by the four minor controls is greater. Consider, if the one major control fails, there is zero protection remaining. But if one of the four minor controls fails, a 93.6% chance of successfully controlling the risk remains.
But be careful
There are two implicit assumptions in the Swiss Cheese Model to risk management for you to be aware of:
Firstly, for the multiple controls to be effective, they must be independent of one another. An example would be, say, three controls, each requiring an electricity supply to maintain their protection.
Here, one adverse event, a power loss, would knock out all three controls, and the assumed protection of three controls would not accrue. To put it bluntly: you'd be kidding yourself!
Secondly, that we can reliably predict the level of risk reduction, a control will provide. We can't. Only by monitoring the performance of a system over time can we confirm the risk reduction achieved. This is a powerful argument for using combinations of controls.
Conclusion: a combination of controls is best
The combination of risk controls provides a higher level of protection, and, wherever possible, the use of single control to reduce risk should be avoided. A combination of controls will almost certainly prove more robust and more effective in the long run. And we emphasize this in all our ISO 27001 Courses. Never settle for a single control when further controls are available. Just think for a moment: if you rely on a single control and it fails, you have no protection; on the other hand, if you have multiple controls and one fails, you still have some protection in place, perhaps enough to avoid catastrophe or to buy enough time to recover the situation.
- ISO 14971 Risk Management: 12 FAQs Answered
- Risk Assessment and Risk Management Courses
- ISO 45001 requires Risk Management & Not Just Risk-based Thinking
- ISO 13485 Requires Risk Management & Risk-based Thinking
- ISO 9001 and Risk-based Thinking - Some Practical Advice
deGRANDSON Global is an ISO Certified Educational Organization
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.