Assign topic to the user
One of ISO practitioner told me According to ISO27K:2013 standard, Risk assessment should be based on services instead assets. It should be services --Threats --Vulnerabilities --risk and then map risk to assets. Is this correct?
Also will you please share a sample organisation structure that includes CISO, ISM and Information Security officer along with CIO, COO and CEO
Answer:
With the ISO 27001:2013 is not necessary that your methodology be based on assets, can be based in services or also in process. And you can assign, to each service, threats/vulnerabilities, and after map risks to assets (although I think that this last step is not necessary). Anyway, I recommend you to read this article What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Regarding to your question related to the CISO, we do not have a document with this, but I think that this article can be interesting for you Chief Information Security Officer (CISO) - where does he belong in an org chart? : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
Antonio,
As suggested , even through the 2013 version is not made any mandate for the methodology, I feel risk assessment based on Process/services makes sense than depends on granular asset. Also if it is service/business process based, identification of risks that business needs to worry much is easy than asset based methodology
Comment as guest or Sign in
Jan 12, 2016