Assign topic to the user
One of ISO practitioner told me According to ISO27K:2013 standard, Risk assessment should be based on services instead assets. It should be services --Threats --Vulnerabilities --risk and then map risk to assets. Is this correct?
Also will you please share a sample organisation structure that includes CISO, ISM and Information Security officer along with CIO, COO and CEO
Answer:
With the ISO 27001:2013 is not necessary that your methodology be based on assets, can be based in services or also in process. And you can assign, to each service, threats/vulnerabilities, and after map risks to assets (although I think that this last step is not necessary). Anyway, I recommend you to read this article What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Regarding to your question related to the CISO, we do not have a document with this, but I think that this article can be interesting for you Chief Information Security Officer (CISO) - where does he belong in an org chart? : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
Guest
Guest post
Jan 12, 2016
Antonio,
As suggested , even through the 2013 version is not made any mandate for the methodology, I feel risk assessment based on Process/services makes sense than depends on granular asset. Also if it is service/business process based, identification of risks that business needs to worry much is easy than asset based methodology
As suggested , even through the 2013 version is not made any mandate for the methodology, I feel risk assessment based on Process/services makes sense than depends on granular asset. Also if it is service/business process based, identification of risks that business needs to worry much is easy than asset based methodology
Comment as guest or Sign in
Jan 12, 2016
Jan 12, 2016
Jan 12, 2016