Expert Advice Community

Asset List for Risk assessment using the Wizard

  Quote
Created:   Jun 27, 2023 Last commented:   Jun 30, 2023

Asset List for Risk assessment using the Wizard

Please can i have some guidance on the assest list specifically thinking about vulnerabilities and threats: it is quite unclear whether we are talking about threats from or to the listed assests e.g. in terms of the building as an assest the threats options seem to point to a threat to the building whereas further down for instance third part contractors or suppliers seem to be talking about the threat from the third party.

be gratefull for any help

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

Expert
Rhand Leal Jun 30, 2023

Please note that threats are always to the assets.

The logic in the asset-vulnerability-threat risk assessment approach is:

  • first, you chose an asset that is important to the organization (it can be people, applications, information in physical or electronic form, equipment, infrastructure, or services)
  • after that, you associate a vulnerability to the asset, i.e., a weakness inherent to the asset that can be exploited and compromise information-related confidentiality, integrity, and/or availability
  • finally, you associate to the pair asset-vulnerability one or more threats, i.e., an agent that exploits the vulnerability and compromises the asset.

Considering that, when you are choosing the assets, you need to think of the elements in the list of assets as being the target of a threat. When you advance in the assessment and are choosing the threats, you need to think of the elements in the list of the trheats as being the agents that can compromise an asset.

In your example about contractors or suppliers, it seems you are considering that contractors or suppliers are the ones performing the options described in the list of threats (“… threat from the third party.”), when in fact you need to think as if they are suffering the action.

For example, in the risk: "Third-party services used over the Internet (e.g., SaaS) (Asset) - Cryptographic keys accessible to unauthorized persons (Vulnerability) - Malicious disclosure of passwords (Threat)”,you need to think that it is not the SaaS provider that is performing the malicious disclosure of passwords, but that is someone with access to the SaaS provider that is disclosing the passwords, so compromising its capability to protect confidentiality, integrity, and/or availability of the information under its responsibiltiy.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 27, 2023

Jun 30, 2023

Suggested Topics

Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 1
0 0

Risk treatment plan

Tanya S Created:   Dec 01, 2023 ISO 27001 & 22301
Replies: 1
0 0

Residual Risk Calculations