SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment of Assets
Hello As part of compliance with the NIS Regulations we are identifying assets, grouping them and them Risk Assessing them as a group. Our aspiration is to implement ISO27001 in the future so I am thinking this is an opportunity to get our Risk Assessments aligned to the standard. I am guessing for ISO27001 we would have to risk assess the invididual assets rather than as groups? So, rather than risk assess Core Network VMWare Business Systems Desktop Applications Would we need to risk assess as follows? Core Network VMWare Business System 1 Business System 2 Business System 3 Business System 4 Business System 5 Desktop Application 1 Desktop Application 2 Desktop Application 3 Desktop Application 4 Desktop Application 5 Thanks Lee -
Assets and Risks
Is it a fairly standard procedure, when considering risk assessment to follow this idea:
List all the assets which will include buildings, Servers, Networks, HR data, payroll data, Pension data, training records etc
Apply a standard set of threats to each and every asset regardless of whether it's a physical asset or an information asset (e.g. Environmental, deliberate external asset compromise, deliberate internal, accidental internal, loss of staff etc.) (In this example we'd apply the 5 threats to each asset to generate the risks i.e. the 7 assets listed would yield 35 Risks
Score the risks and generate the treatment plan
Is it overkill to least each data type? Should we just list the threats against the 3 or 4 data classification types as well as the physical assets.Any advice greatly appreciated.