ISO 27001 how to assign risk value
Assign topic to the user
1) ISO 27001:2005 does not require risk value to be assigned to asset risk - this standard requires impact to be one of the factors that determines the level of risk.
2) ISO 27001:2013 does not require risk value to be assigned to owner of the asset risk - this standard also requires impact to be one of the factors that determines the level of risk.
These articles will help you understand these issues:
How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Comment as guest or Sign in
Jan 12, 2016