Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Assessing consequences in risk assessment

Regarding consequences assessment - would you recommend assessing one value or split this factor basing on information security aspects or business consequences category? As I see reviewing some examples available on the Internet, sometimes people assess conseqences of loosing confidentiality, integrity or availability separately. The others assess separately financial conseqences, law and regulatory consequences, reputation consequences and so on.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Answer:

Since ISO 27001 does not prescribe the approach you should take, this means all of these options are possible. Basically, I would suggest the following approach:

If you are a small company, you should assess the impact (consequences) with only one value - this way you avoid an overkill
If you are a larger organization and want to have more precise results, you can assess the impact separately for confidentiality, integrity and availability - this way you will get a better feeling where the potential problem is, and which kind of controls you will need to apply.
Assessing consequences in categories like financial, law, etc. will help you better focus on the level of impact, but won't help you with the type of controls you will need to apply - therefore, you have to consider whether option (2) or (3) is better in your situation.

For any of these values you can use the scale Low-Medium-High, 0 to 4, 1 to 5, 1 to 10, or any other.

Quote

0 0

Guest

Guest post Jan 12, 2016

Thanks for that explanation.
It was very helpful for me.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community