Hybrid approach for risk assessment
Can we perform Hybrid approach (Service based & Asset based) risk assessment? Also, can we create the process /methodology document likewise?
Assign topic to the user
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now 
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
Answer: ISO 27001 does not prescribe any approach for risk assessment, so you can adopt the one that better suits your organization, even a hybrid one. The same applies for the process/methodology. You can create your own, provided this one fulfills the requirements from the standard.
But please note that you have to verify if the benefits of adopting a hybrid approach will be greater than the complexity required to perform it.
For information about alternative approaches for risk identification, please read:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
Comment as guest or Sign in
Sep 06, 2019