Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:
EXAM20

Expert Advice Community

Guest

Assets, Threats and Risk assessment

  Quote
Guest
Guest user Created:   Nov 24, 2016 Last commented:   Nov 24, 2016

Assets, Threats and Risk assessment

1 - There are some duties which are somehow sensitive (e.g., company’s obligations payments) a not doing them on time can cause some problems according to legal actions of interested parties against the company, like lack of availability. How can they affect our risk assessment process?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 24, 2016

Answer: If the legal actions are taken as a result of lack of information, caused by duties not being performed on time, this situation must be included on your risk assessment, so you can determine if the risk of this situation is unacceptable, and implemented controls as needed.

2 - How can we reflect them in our documentation?

Answer: You should add asset(s) that handle information from these duties (e.g., payment system XYZ, email server, etc.) in your asset inventory, and related risks should be recorded in your risk assessment (e.g., payment delayed by system downtime or processing error may cause a contractual breach). The risks considered unacceptable must be included in the risk treatment plan, where proper controls should be defined (e.g., sy stem redundancy / processing results review).

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

3 - Can we consider them as our services? In one of your articles I saw this:

“Outsourced services – e.g. legal services or cleaning services, but also online services like Dropbox or Gmail – it is true that these are not assets in the pure sense of the word, but such services need to be controlled very similarly to assets, so they are very often included in the asset management.”

Are these examples also similar to my case?

Answer: If I'm understanding correctly, these activities are being performed by your own organization, so in this case it is more appropriate for you to refer in your inventory to the assets that handle the information, like I explained in the first question.

4 - It is also not clear for me, how can for example cleaning services affect the risk assessment process? (Aren’t they more like threats than assets?)

Answer: According to 27001 clause 8.1, outsourced processes must be determined and controlled, so, outsourced cleaning services, as well as any other outsourced services, must be included in the risk assessment to ensure they do not represent a risk to information security, or in case they introduce unacceptable risks, to ensure those risks are treated properly.

Regarding how cleaning services may affect the risk assessment process, this service, as well as any other outsourced services, may require, for example, that people who work for this external organization, may have access to your environment and information, and if you do not consider them malicious people (e.g., industrial spies), or untrained people,may cause your information to be compromised (e.g., damaged, lost, or stolen), and you should consider these risks and treat them properly (e.g., by means of contracts, training, etc.).

This article will provide you further explanation about assets and threats:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding assets and risk assessment and treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 24, 2016

Nov 24, 2016

Suggested Topics

Guest user Created:   Feb 20, 2023 ISO 27001 & 22301
Replies: 1
0 0

Risk Assessment Question

Guest user Created:   Apr 06, 2022 ISO 27001 & 22301
Replies: 1
0 0

27001 question

Guest user Created:   Mar 15, 2017 ISO 27001 & 22301
Replies: 1
0 0

Performing Risk Assessment