Assessing consequences in risk assessment
Assign topic to the user
Answer:
Since ISO 27001 does not prescribe the approach you should take, this means all of these options are possible. Basically, I would suggest the following approach:
If you are a small company, you should assess the impact (consequences) with only one value - this way you avoid an overkill
If you are a larger organization and want to have more precise results, you can assess the impact separately for confidentiality, integrity and availability - this way you will get a better feeling where the potential problem is, and which kind of controls you will need to apply.
Assessing consequences in categories like financial, law, etc. will help you better focus on the level of impact, but won't help you with the type of controls you will need to apply - therefore, you have to consider whether option (2) or (3) is better in your situation.
For any of these values you can use the scale Low-Medium-High, 0 to 4, 1 to 5, 1 to 10, or any other.
Comment as guest or Sign in
Jan 12, 2016