Risk based calculation
Why is risk only calculated based on Phycial Assets? What about best practices and processes and controls that are missing in an entity and causing risk?? Example HR practices, Asset practices. Does the CIA apply here?
Can I not calculate Risk along the same columns of controls defined in SOA and create another Risk assessment sheet for other Assets like Hardware mostly under CIA.
Assign topic to the user
ISO 27001 does not prescribe how to calculate risks, so organizations can adopt the approach that better suits their needs.
Considering that, please note that the most commonly used approach is the asset-threat-vulnerability, which does not use only physical assets, but also, information, data, services, and other kinds of assets, where risks are determined according to their impacts related to information Confidentiality, Integrity, and Availability.
For further information, see:
- ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
In this article you will find information about:
- Main steps in risk management
- Risk assessment methodology
- Risk assessment
- What to use instead of an asset-based approach for ISO 27001 risk identification
Comment as guest or Sign in
Jan 17, 2023