Expert Advice Community

Guest

Assessing the C-I-A of assets

  Quote
Guest
Guest user Created:   Nov 27, 2018 Last commented:   Nov 27, 2018

Assessing the C-I-A of assets

Q1: For a smaller company can we choose not to assess the risk of an asset based on Confidentiality / Integrity and Availability.
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Nov 27, 2018

Answer: ISO 27001 does not require you to assess assets, but it does require you to assess likelihood and impact of a risk. When the impact of a risk is assessed, you have to take into account the effects of this risk on the confidentialiy, integrity and availability of your data.

Q2: Does the RTP have to cover all risks identified against each of the controls or only high/medium risks identified from your risk assessment performed against the companies assets?

Answer: The Risk Treatment Plan (RTP) has to cover only the controls that have not yet been implemented - it doesn't matter to which assets or risks those controls are related to. The risk treatment process has a differentu purpose than the RTP - it has to cover only the unacceptable risks, i.e. the highest risks you identified during the risk assessment process.

See also these articles:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Nov 27, 2018

Nov 27, 2018