Is it a fairly standard procedure, when considering risk assessment to follow this idea:
List all the assets which will include buildings, Servers, Networks, HR data, payroll data, Pension data, training records etc
Apply a standard set of threats to each and every asset regardless of whether it's a physical asset or an information asset (e.g. Environmental, deliberate external asset compromise, deliberate internal, accidental internal, loss of staff etc.) (In this example we'd apply the 5 threats to each asset to generate the risks i.e. the 7 assets listed would yield 35 Risks
Score the risks and generate the treatment plan
Is it overkill to least each data type? Should we just list the threats against the 3 or 4 data classification types as well as the physical assets.
Any advice greatly appreciated.
Assign topic to the user
Please note that the approach you are using is not common (the common practice is the asset-threat-vulnerability approach, not using only asset and threat combination). The problem with your approach is that by not considering potential vulnerabilities related to the asset you can have a misunderstanding about the risk. For example, if for a certain asset the vulnerabilities aren't easy to be exploited by threats the risk will be lower.
Considering that, during risk assessment, you do not need to use data classification type, only information assets (e.g., reports, databases, contracts, etc.)
Regarding the number of risks, a good approach is for each asset to identify 2 or 3 threats and for each threat 2 or 3 vulnerabilities. For 50 assets this will result in a number of risks between 200 and 450 risks.
This article will provide you a further explanation about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Oct 30, 2020