I need one clarification on risk assessment , risk treatment and SOA, for ISO27001:2013 is based on "Business process" or it is Asset base.
This is a confusion, some say's it is Asset base and some says as per new revision it is "business process base".
I need your audiences or related link for more information, on the said subject.
Answer:
ISO 27001:2013 is not based on asset and neither on business process, this mean that you are free to develop your methodology on the base that you want (asset or business process). Although generally is recommendable a risk methodology based on asset.
This article can be interesting for you What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Comment as guest or Sign in
Jan 13, 2016