Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends February 29, 2024
Use promo code:
EXAM20

Expert Advice Community

Guest

Asset based

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Asset based

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 12, 2016

One of ISO practitioner told me According to ISO27K:2013 standard, Risk assessment should be based on services instead assets. It should be services --Threats --Vulnerabilities --risk and then map risk to assets. Is this correct?
Also will you please share a sample organisation structure that includes CISO, ISM and Information Security officer along with CIO, COO and CEO
 

Answer:

With the ISO 27001:2013 is not necessary that your methodology be based on assets, can be based in services or also in process. And you can assign, to each service, threats/vulnerabilities, and after map risks to assets (although I think that this last step is not necessary). Anyway, I recommend you to read this article “What has changed in risk assessment in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Regarding to your question related to the CISO, we do not have a document with this, but I think that this article can be interesting for you “Chief Information Security Officer (CISO) - where does he belong in an org chart?” : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

Quote
0 0
Guest
Guest post Jan 12, 2016

Antonio,

As suggested , even through the 2013 version is not made any mandate for the methodology, I feel risk assessment based on Process/services makes sense than depends on granular asset. Also if it is service/business process based, identification of risks that business needs to worry much is easy than asset based methodology

Quote
0 0
Guest
AntonioS Jan 12, 2016

Depending of the business can be more/less easy. Generally if you have many assets (think in a multinational: thousands) can be a good idea to use a process based methodology, but if not, maybe can be better to use a asset based methodology.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016