Which is better: One major control that is 95% effective OR 4 minor controls each of which is 60% effective?
In applying ISO/IEC 27001:2013 to an information security management system (ISMS), one of the requirements in Clause 6.1.3.c) states:
'Compare the controls determined in 6.1.3 b) above with those of Annex A and verify that no necessary controls have been omitted.'
All too frequently, Certification Body Auditors find that this requirement, which is about risk management, results in a one-to-one relationship between applicable threats and a control to address the risk arising. This is not surprising because Annex A, Reference control objectives and controls, is set out in a tabular format that strongly suggests a single control for each vulnerability. Also, ISO 27002, Code of practice for information security controls, states in clause 4.2, Control categories, b) that 'one or more controls can be applied to achieve the control objective'. Again, it seems one control is adequate. We do not agree!
While this may be accepted by the Auditor, it is a lousy, poor way to manage risk. The Swiss Cheese approach is far superior.
The Swiss Cheese Approach
In the fields of both Aviation Safety and Occupational Health & Safety, the Swiss Cheese Model, originally proposed by an Englishman, James Reason, has a long and proven record of effectiveness in managing risk. The model and its application are very well explained in this YouTube Video on Aviation Safety.
In this model, each control to reduce risk is represented as a slice of cheese. The holes in the slice represent weaknesses in individual parts of the system and are continually varying in size and position across the slices.
The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason's words) "a trajectory of accident opportunity", so that a hazard passes through holes in all of the slices, leading to a failure.
So, let's consider the question in the subtitle. Having established through risk assessment and evaluation that risk reduction measures (i.e. controls) are required, what approach should we take?
a) One major control that is 95% effective
Here the chance of failure of the control is 5 in 100 (or 5%). Or to put it another way:
With one major controls in place, the chances of successfully controlling the risk are 95.0%
b) Four minor controls each of which is 60% effective?
In this case, we need to combine the individual chance of failure to evaluate the combined effect of the four controls.
Consider how the risk of failure decreases as we add each of the four controls.
Remembering that each is 60% effective, the chance of failure is the remaining 40%.
So, with one control in place, the chance of failure is 40%.
With two controls in place, the chance of failure is 40% x 40%. That is 16%.
With a third control in place we get 40% x 40% x 40%. That is, 6.4 %
And add in the fourth control, we get 40% x 40% x 40% x 40%. Giving us a 2.56% chance of failure.
Therefore, with four minor controls in place, the chances of successfully controlling the risk are 97.4%.
Robust Protection against Failure
The robustness of the protection provided by the four minor controls is greater. Consider, if the one major control fails there is zero protection remaining. But if one of the four minor controls fails a 93.6% chance of successfully controlling the risk remains.
But be careful
There are two implicit assumptions in the Swiss Cheese approach to risk management for you to be aware of:
Firstly, for the multiple controls to be effective, they must be independent of one another. An example would be, say, three controls each requiring an electricity supply to maintain their protection.
Here, one adverse event, a power loss, would knock out all three controls and the assumed protection of three controls would not accrue. To put it bluntly: you'd be kidding yourself!
Secondly, that we can reliably predict the level of risk reduction a control will provide. We can't. Only by monitoring the performance of a system over time can we confirm the risk reduction achieved. This is a powerful argument for using combinations of controls.
Conclusion: a combination of controls is best
The combination of risk controls provides a higher level of protection and, wherever possible, the use of single control to reduce risk should be avoided. A combination of controls will almost certainly prove more robust and more effective in the long run. And we emphasise this in all our ISO 27001 Courses. Never settle for a single control when further controls are available. Just think for a moment: if you rely on a single control and it fails, you have no protection; on the other hand, if you have multiple controls and one fails, you still have some protection in place perhaps enough to avoid catastrophe or to buy enough time to recover the situation.
NOTE: This post was first published in Sep 2018; revised and updated Apr 2021.