The Swiss Cheese Model of Risk Management explained

swiss cheese model

Which is better: One major control that is 95% effective OR 4 minor controls each of which is 60% effective? 

In applying ISO/IEC 27001:2013 to an information security management system (ISMS), one of the requirements in Clause 6.1.3.c) states:

'Compare the controls determined in 6.1.3 b) above with those of Annex A and verify that no necessary controls have been omitted.'

All too frequently, Certification Body Auditors find that this requirement, which is about risk management, results in a one-to-one relationship between applicable threats and a control to address the risk arising.  This is not surprising because Annex A, Reference control objectives and controls, is set out in a tabular format that strongly suggests a single control for each vulnerability.  Also, ISO 27002, Code of practice for information security controls, states in clause 4.2, Control categories, b) that 'one or more controls can be applied to achieve the control objective'.  Again, it seems one control is adequate.  We do not agree!

While this may be accepted by the Auditor, it is a lousy, poor way to manage risk.  The Swiss Cheese approach is far superior.

The Swiss Cheese Approach

In the fields of both Aviation Safety and Occupational Health & Safety, the Swiss Cheese Model (originally proposed by an Englishman, James Reason) has a long and proven record of effectiveness in managing risk. The model and its application are very well explained in this YouTube Video on Aviation Safety.

In this model, each control to reduce risk is represented as a slice of cheese. The holes in the slice represent weaknesses in individual parts of the system and are continually varying in size and position across the slices.

The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason's words) "a trajectory of accident opportunity", so that a hazard passes through holes in all of the slices, leading to a failure.

Infographic showing the Swiss Cheese Model of risk management

So, let's consider the question in the subtitle. Having established through risk assessment and evaluation that risk reduction measures (i.e. controls) are required, what approach should we take?

a) One major control that is 95% effective

Here the chance of failure of the control is 5 in 100 (or 5%). Or to put it another way:

With one major control in place, the chances of successfully controlling the risk are 95.0%

 

View our ISO 27001 Courses

 

b) Four minor controls each of which is 60% effective? 

In this case, we need to combine the individual chance of failure to evaluate the combined effect of the four controls.

Consider how the risk of failure decreases as we add each of the four controls.

Remembering that each is 60% effective, the chance of failure is the remaining 40%.

So, with one control in place, the chance of failure is 40%.

With two controls in place, the chance of failure is 40% x 40%.  That is 16%.

With a third control in place we get 40% x 40% x 40%.  That is, 6.4 %

And add in the fourth control, we get 40% x 40% x 40% x 40%.  Giving us a 2.56% chance of failure.

Therefore, with four minor controls in place, the chances of successfully controlling the risk are 97.4%.

Robust Protection against Failure

The robustness of the protection provided by the four minor controls is greater. Consider, if the one major control fails there is zero protection remaining. But if one of the four minor controls fails a 93.6% chance of successfully controlling the risk remains.

But be careful

There are two implicit assumptions in the Swiss Cheese Model to risk management for you to be aware of:

Firstly, for the multiple controls to be effective, they must be independent of one another.  An example would be, say, three controls each requiring an electricity supply to maintain their protection.

Here, one adverse event, a power loss, would knock out all three controls and the assumed protection of three controls would not accrue. To put it bluntly: you'd be kidding yourself!

Secondly, that we can reliably predict the level of risk reduction a control will provide.  We can't. Only by monitoring the performance of a system over time can we confirm the risk reduction achieved.  This is a powerful argument for using combinations of controls.

Conclusion: a combination of controls is best

The combination of risk controls provides a higher level of protection and, wherever possible, the use of single control to reduce risk should be avoided. A combination of controls will almost certainly prove more robust and more effective in the long run.  And we emphasize this in all our ISO 27001 Courses. Never settle for a single control when further controls are available.  Just think for a moment: if you rely on a single control and it fails, you have no protection; on the other hand, if you have multiple controls and one fails, you still have some protection in place perhaps enough to avoid catastrophe or to buy enough time to recover the situation.

Gap Analysis Tool ISO 27001

NOTE: This post was first published in Sep 2018; revised and updated Jan 2022.

Related Articles


deGRANDSON Global is an ISO Certified Educational Organization

InISO 21001 ISO 29993 ISO 29994 October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.

 

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates

FOLLOW US ON...

Recent Posts

Posts by Topic