Expert Advice Community

Home / ISO 27001 & 22301 / Is assessing asset value mandatory?

Guest

Is assessing asset value mandatory?

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Feb 08, 2016 Last commented:   Feb 08, 2016

Is assessing asset value mandatory?

ISO 27001 & 22301
I happened to listen to the recording of your webinar on 'Basics of RIsk Assessment and Treatment'.
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.
Expert
Dejan Kosutic Feb 08, 2016

It is very useful. A clarification: In your Risk value calculation, you are considering only the Impact & Probability.
Do we have to consider the Asset value also. Please clarify.

Answer:

ISO 27001 does not require you to assess the asset value - this is actually one of the greatest myths about risk assessment; what ISO 27001 does require you is to assess impact and likelihood. Of course, if you want to, you can assess asset value, but then you should assess these 3 items: asset value, threats and vulnerabilities (instead of only impact and likelihood).

This article explains this into more detail: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 08, 2016

Feb 08, 2016

Suggested Topics
Guest user Created:   Oct 31, 2023 ISO 27001 & 22301
Replies: 1
0 0

Question on risk register and selection of the assets
Guest user Created:   Sep 20, 2023 ISO 27001 & 22301
Replies: 1
0 0

Asset and Risk Owners - can it be a role and also a name of an employee
Guest user Created:   Aug 10, 2023 ISO 27001 & 22301
Replies: 1
0 0

What asset to list when Risks relate to general or high-level assets?